SlideShare a Scribd company logo
1 of 14
Presented by
Venkatesh Jambulingam
Cloud Security Expert
05-Dec-2021
Access Management
| 05-Dec-2021 | Venkatesh Jambulingam |
▶Authentication & Authorization
▶Authentication
– Multi-Factor Authentication
– Password less Authentication
– Certificate Based Authentication
– Risk Based Authentication / Adaptive Authentication
▶Authorization
– Single Sign on
– Federation
– SSO Protocols
2
Contents
| 05-Dec-2021 | Venkatesh Jambulingam | 3
Authentication & Authorization
Authorization
(AuthZ)
What can you do
Authentication
(AuthN)
Who you are
Authentication is the process of verifying
a user’s details to identify the user and
grant access to the system
Verification is done by confirming the
truth of an attribute / piece of data
claimed by an identity
e.g., User ID & Password, Biometric, Govt
Issued ID card
Verifies Users Credentials
Occurs before authorization
Authorization is the process of verifying the
authenticated user’s privileges or permissions to
access the resources of the system
Verification is done by checking the privileges
granted to the user in authoritative system such
as identity provider
Verifies users’ permissions to for specific
resources
Occurs after authentication
| 05-Dec-2021 | Venkatesh Jambulingam |
Multifactor authentication (MFA) is a security system that requires more than one method of authentication to verify the user’s
identity. It combines two or more independent credentials to verify the identity. Below given are some of the authentication factors.
4
Multifactor Authentication
The context within which this information is captured
e.g. Geo location, IP address, Links to others, Device used
Age
Gender
Irises
Fingerprints
Voice
Face
is
Access badge
Smart Card
Security token
Mobile phone
ID document
has
Motor skills
Gait Analysis
Keystrokes
Application use
Handwriting
Gestures
does
Password
PIN
Passphrase
Pattern
Image
knows
| 05-Dec-2021 | Venkatesh Jambulingam | 5
One Time Password
Hashing algorithms are used to generate OTPs. The algorithms use two inputs to generate the OTP: a seed and a moving factor
The seed is a static value (secret key) that’s created when you establish a new account on the authentication server.
Based on the moving factor, two types of OTPs are available namely HOTP & TOTP.
The “H” in HOTP stands for Hash-based Message
Authentication Code (HMAC). HMAC-based One-time
Password algorithm (HOTP) is an event-based OTP
where the moving factor in each code is based on a
counter. OTP code is valid till you request next one.
Time-based One-time Password (TOTP) is a time-
based OTP. The seed for TOTP is static, just like in
HOTP, but the moving factor in a TOTP is time-based
rather than counter-based. The amount of time in
which each password is valid is called a timestep.
12345678
Secret Key Moving Factor (Counter)
HOTP Generator
Yubikey
OTP
12345678
OTP
Secret Key Moving Factor (Time)
TOTP Generator
Authenticator App
| 05-Dec-2021 | Venkatesh Jambulingam | 6
Risk Based / Adaptive Authentication
Application
Classification
Certificates &
Authenticators
Session Cookie
fingerprint
Current & Historical
Behavior
HTTP
Headers
Geolocation, Geo velocity
& IP Reputation
Device Type used for
login
User Profile & Level of
Access
Low risk Allow Access
High Risk Deny Access
Medium
Risk
Step-up
Authentication
Risk Score
Risk Engine
It works based on analyzing signals from various sources and arriving at a risk score for a given
session.
Organization policies define the action to be taken based on the risk score calculated.
| 05-Dec-2021 | Venkatesh Jambulingam |
▶Password less authentication is a type of multi-factor authentication (MFA) where passwords are replaced with a more secure
authentication factor, such as a fingerprint or a PIN. Password less authentication relies on the same principles as digital
certificates: a cryptographic key pair with a private and a public key
▶An individual wishing to create a secure account uses a tool (a mobile app, a browser extension, etc.) to generate a public-private
key pair. The private key is stored on the user’s local device and is tied to an authentication factor, such as a fingerprint, PIN, or
voice recognition and it can only be accessed with this gesture.
▶The public key is provided to the website, application, browser, or other online system for which the user wants to have an
account.
7
Password less Authentication
PKI (or Public Key Infrastructure) is the
framework of encryption and cybersecurity
that protects communications between the
server (your website) and the client (the
users).
Fast Identity Online (FIDO) is an initiative
of a group of companies to reduce the use
of multiple usernames and passwords
through the efficient and interoperable use
of authentication factors.
A security key is a small
physical device that looks like
a USB thumb drive and works
in addition to your password
on sites that support it.
| 05-Dec-2021 | Venkatesh Jambulingam | 8
Certificate Based Authentication
Processes involved in request/response
3. PIN/Password to access the private
key is entered
4.Password is verified and username is
extracted from the certificate
1. Login request initiated with the card inserted
7. Sign the challenge
with user’s private key
9. Verify the signature using the public key of the user stored in
the authentication server and send the AuthN status response
5. Only username is sent
2.Certificate Selection and password
prompt for the private key
6. After verifying the username and certificate
validity, a random challenge is sent in plain text
Validation of server certificate
+ HTTPS Connection
8.Signed Challenge is sent to the server
OCSP CRL
Authentication
Server
Server Trust
Store
& Cryptography
Service Provider
Validation of
server certificate
Validation of
user certificate
Smart Card or
Certificate Store
User
Smart Card
Cryptography
Service Provider
User Trust
Store
| 05-Dec-2021 | Venkatesh Jambulingam |
▶Federation (Between different domains)
–Federation is the trust relationship that
exists between these organizations; it
is concerned with where the user’s
credentials are actually stored and how
trusted third-parties can authenticate
against those credentials without
actually seeing them
▶SSO (Various apps in single domain)
–Single Sign on is used to authenticate
and sign in through different
applications in the same domain by
signing in only once at the IDP side
and activating a session
9
SSO / FIM
SAML
OIDC
Federated Identity
Management (FIM)
Single Sign on
(SSO)
OAUTH 2.0
| 05-Dec-2021 | Venkatesh Jambulingam |
▶Security Assertion Markup Language (SAML) is a XML based protocol used for single sign on (SSO) that supports both
authentication and authorization over SOAP/HTTP request between Identity Provider (IDP) & Service Provider (SP).
▶Before the SP can talk to the IdP for identity verification, the two players should define a SAML contract and exchange preliminary
information, via metadata, which includes details like:
–Public keys (used for encryption), Supported encryption algorithms, Endpoint URLs (where to send SAML messages)
–Supported connection methods and Supported XML attribute formats
▶Once both the SP and the IdP know these specifics about each other, they reconfigure themselves accordingly.
10
SAML
1. User attempts to login to service provider directly 2. Service provider redirects the user’s browser to the identity provider
3. User logs into identity provider
4. Identity provider confirms the authentication status as successful
5. SAML assertion is sent to the user’s browser. It contains authN &
authZ related information along with corresponding user profile
6. SAML assertion is sent to the service provider by the
browser
7. Service provider analyses the response and the user is
validated.
8. Access is granted to user based on the
authorization data / user profile in the application
Service Provider (SP) Identity Provider (IDP)
| 05-Dec-2021 | Venkatesh Jambulingam |
▶OIDC is a newer protocol built on top of the OAuth 2.0 framework and uses JSON-based web tokens (JWT) to structure data.
▶JWT is an industry standard used to define the rules to represent and securely transfer claims between two parties namely Identity
Provider (IDP) & Relying Party (RP). Claims are encrypted, sensitive user data, used to support identity verification.
▶OIDC scopes define the claims (the user attributes) that an application can have access to. The IDP maintains a list of acceptable
scopes and after a user explicitly consents to sharing their details (which includes the scopes), the IDP makes the scopes available
to the relying party (application).
▶Before communicating, the Relying Party (RP) and the IDP must exchange metadata. Both parties must agree on possible scopes,
the IDP must assign a secret and client-ID to the RP, and the RP must share the endpoint to receive codes and tokens.
11
OIDC
1. User attempts to login to service provider directly 2. Service provider redirects the user’s browser to the identity provider
3. User logs into identity provider
4. Identity provider confirms the authentication status as successful.
Users are prompted to grant the application access to their data
(specified by the requested scopes).
5. JWT is sent to the user’s browser. It contains authN & authZ related
information along with corresponding user profile
6. JWT is sent to the service provider by the browser
7. Service provider analyses the response and the user is
validated.
8. Access is granted to user based on the
authorization data / user profile in the application
Relying Party (RP) Identity Provider (IDP)
| 05-Dec-2021 | Venkatesh Jambulingam | 12
SAML VS OIDC
▶SAML is an authentication & authorization protocol that
has been in use for long time.
▶SAML uses XML to exchange information. SAML
Assertions/Tokens are larger, and relatively difficult to
process.
▶Does not support user consent natively but can be
achieved with extensive manual development
▶Since SAML has been around for much longer, it’s still
trusted by a lot of organizations, including government
entities. It’s certainly more feature-rich.
▶Suited for organizations and B2B Setup
▶OIDC is a newer protocol and is built on top of the
OAuth 2.0 framework
▶OIDC uses JWTs, which are smaller in size, and
require lightweight processing.
▶OIDC supports user consent by default.
▶OIDC is now starting to catch up with features
supported by SAML
▶Suited for B2C setup and supports authenticating
modern application types like single-page
applications (SPAs) and smartphone applications.
Thank you
Creative
Commons
By Non
Commercial
Share
Alike
This document is shared under
CC BY-NC-SA 4.0 license
| 05-Dec-2021 | Venkatesh Jambulingam | 14
About me
Venkatesh Jambulingam
Cloud Security Expert
Email:
cybervattam@gmail.com
cybervattam@outlook.com
Follow me on

More Related Content

What's hot

76 s201923
76 s20192376 s201923
76 s201923IJRAT
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldKatherine Cola
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideNick Owen
 
Cloud computing identity management summary
Cloud computing identity management summaryCloud computing identity management summary
Cloud computing identity management summaryBrandon Dunlap
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management IntroductionAidy Tificate
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseLance Peterman
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
SailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceSailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceArijan Horvat
 
Evolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT Center
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET Journal
 
5 reasons your iam solution will fail
5 reasons your iam solution will fail5 reasons your iam solution will fail
5 reasons your iam solution will failIBM Security
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Systems, Inc.
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identityWAFAA AL SALMAN
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication ModelsRaj Chanchal
 

What's hot (20)

76 s201923
76 s20192376 s201923
76 s201923
 
Contextual Authentication
Contextual AuthenticationContextual Authentication
Contextual Authentication
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud World
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guide
 
Cloud computing identity management summary
Cloud computing identity management summaryCloud computing identity management summary
Cloud computing identity management summary
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 
Context Based Authentication
Context Based AuthenticationContext Based Authentication
Context Based Authentication
 
Sms based otp
Sms based otpSms based otp
Sms based otp
 
SailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceSailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity Governance
 
Evolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access management
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management Journey
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
 
5 reasons your iam solution will fail
5 reasons your iam solution will fail5 reasons your iam solution will fail
5 reasons your iam solution will fail
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management Suite
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identity
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication Models
 
IDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENTIDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENT
 

Similar to Access management

Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossASRoger CARHUATOCTO
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
Single sign on assistant an authentication brokers
Single sign on assistant an authentication brokersSingle sign on assistant an authentication brokers
Single sign on assistant an authentication brokersFinalyear Projects
 
Multifactor authenticationMultifactor authentication or MFA .docx
Multifactor authenticationMultifactor authentication or MFA .docxMultifactor authenticationMultifactor authentication or MFA .docx
Multifactor authenticationMultifactor authentication or MFA .docxgilpinleeanna
 
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSAWS User Group Kochi
 
IRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor AuthenticationIRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor AuthenticationIRJET Journal
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
 
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM csandit
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfNordic APIs
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
Efficient and Secure Single Sign on Mechanism for Distributed Network
Efficient and Secure Single Sign on Mechanism for Distributed NetworkEfficient and Secure Single Sign on Mechanism for Distributed Network
Efficient and Secure Single Sign on Mechanism for Distributed NetworkIJERA Editor
 
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...WSO2
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems Maganathin Veeraragaloo
 
Introducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceIntroducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceAmin Saqi
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication   sa...kicking your enterprise security up a notch with adaptive authentication   sa...
kicking your enterprise security up a notch with adaptive authentication sa...Sagara Gunathunga
 
Online applications using strong authentication with OTP grid cards
Online applications using strong authentication with OTP grid cardsOnline applications using strong authentication with OTP grid cards
Online applications using strong authentication with OTP grid cardsBayalagmaa Davaanyam
 

Similar to Access management (20)

Presentation
PresentationPresentation
Presentation
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
Cloud Identity Management
Cloud Identity ManagementCloud Identity Management
Cloud Identity Management
 
Single sign on assistant an authentication brokers
Single sign on assistant an authentication brokersSingle sign on assistant an authentication brokers
Single sign on assistant an authentication brokers
 
Multifactor authenticationMultifactor authentication or MFA .docx
Multifactor authenticationMultifactor authentication or MFA .docxMultifactor authenticationMultifactor authentication or MFA .docx
Multifactor authenticationMultifactor authentication or MFA .docx
 
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
 
IRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor AuthenticationIRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor Authentication
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
 
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
Efficient and Secure Single Sign on Mechanism for Distributed Network
Efficient and Secure Single Sign on Mechanism for Distributed NetworkEfficient and Secure Single Sign on Mechanism for Distributed Network
Efficient and Secure Single Sign on Mechanism for Distributed Network
 
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems
 
120 i143
120 i143120 i143
120 i143
 
Introducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceIntroducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and Performance
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
 
kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication   sa...kicking your enterprise security up a notch with adaptive authentication   sa...
kicking your enterprise security up a notch with adaptive authentication sa...
 
Online applications using strong authentication with OTP grid cards
Online applications using strong authentication with OTP grid cardsOnline applications using strong authentication with OTP grid cards
Online applications using strong authentication with OTP grid cards
 

More from Venkatesh Jambulingam

அடையாள மேலாண்மை | Identity Management in Tamil
அடையாள மேலாண்மை | Identity Management in Tamilஅடையாள மேலாண்மை | Identity Management in Tamil
அடையாள மேலாண்மை | Identity Management in TamilVenkatesh Jambulingam
 
அணுகல் மேலாண்மை | Access Management
அணுகல் மேலாண்மை | Access Managementஅணுகல் மேலாண்மை | Access Management
அணுகல் மேலாண்மை | Access ManagementVenkatesh Jambulingam
 
மேகக்கணிமை | Cloud Computing
மேகக்கணிமை | Cloud Computingமேகக்கணிமை | Cloud Computing
மேகக்கணிமை | Cloud ComputingVenkatesh Jambulingam
 
பொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in Tamil
பொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in Tamilபொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in Tamil
பொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in TamilVenkatesh Jambulingam
 
களப்பெயர் முறைமை | Domain Name System (DNS)
களப்பெயர் முறைமை | Domain Name System (DNS)களப்பெயர் முறைமை | Domain Name System (DNS)
களப்பெயர் முறைமை | Domain Name System (DNS)Venkatesh Jambulingam
 
கட்டச்சங்கிலி | Blockchain in Tamil
கட்டச்சங்கிலி | Blockchain in Tamilகட்டச்சங்கிலி | Blockchain in Tamil
கட்டச்சங்கிலி | Blockchain in TamilVenkatesh Jambulingam
 
மறைப்பியல் | Cryptography in Tamil
மறைப்பியல் | Cryptography in Tamilமறைப்பியல் | Cryptography in Tamil
மறைப்பியல் | Cryptography in TamilVenkatesh Jambulingam
 

More from Venkatesh Jambulingam (12)

அடையாள மேலாண்மை | Identity Management in Tamil
அடையாள மேலாண்மை | Identity Management in Tamilஅடையாள மேலாண்மை | Identity Management in Tamil
அடையாள மேலாண்மை | Identity Management in Tamil
 
அணுகல் மேலாண்மை | Access Management
அணுகல் மேலாண்மை | Access Managementஅணுகல் மேலாண்மை | Access Management
அணுகல் மேலாண்மை | Access Management
 
Cloud computing Introduction
Cloud computing IntroductionCloud computing Introduction
Cloud computing Introduction
 
மேகக்கணிமை | Cloud Computing
மேகக்கணிமை | Cloud Computingமேகக்கணிமை | Cloud Computing
மேகக்கணிமை | Cloud Computing
 
Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Public key Infrastructure (PKI)
Public key Infrastructure (PKI)
 
பொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in Tamil
பொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in Tamilபொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in Tamil
பொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in Tamil
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)
 
களப்பெயர் முறைமை | Domain Name System (DNS)
களப்பெயர் முறைமை | Domain Name System (DNS)களப்பெயர் முறைமை | Domain Name System (DNS)
களப்பெயர் முறைமை | Domain Name System (DNS)
 
Blockchain
BlockchainBlockchain
Blockchain
 
கட்டச்சங்கிலி | Blockchain in Tamil
கட்டச்சங்கிலி | Blockchain in Tamilகட்டச்சங்கிலி | Blockchain in Tamil
கட்டச்சங்கிலி | Blockchain in Tamil
 
Cryptography
CryptographyCryptography
Cryptography
 
மறைப்பியல் | Cryptography in Tamil
மறைப்பியல் | Cryptography in Tamilமறைப்பியல் | Cryptography in Tamil
மறைப்பியல் | Cryptography in Tamil
 

Recently uploaded

Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaWSO2
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهMohamed Sweelam
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....rightmanforbloodline
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTopCSSGallery
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringWSO2
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 

Recently uploaded (20)

Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 

Access management

  • 1. Presented by Venkatesh Jambulingam Cloud Security Expert 05-Dec-2021 Access Management
  • 2. | 05-Dec-2021 | Venkatesh Jambulingam | ▶Authentication & Authorization ▶Authentication – Multi-Factor Authentication – Password less Authentication – Certificate Based Authentication – Risk Based Authentication / Adaptive Authentication ▶Authorization – Single Sign on – Federation – SSO Protocols 2 Contents
  • 3. | 05-Dec-2021 | Venkatesh Jambulingam | 3 Authentication & Authorization Authorization (AuthZ) What can you do Authentication (AuthN) Who you are Authentication is the process of verifying a user’s details to identify the user and grant access to the system Verification is done by confirming the truth of an attribute / piece of data claimed by an identity e.g., User ID & Password, Biometric, Govt Issued ID card Verifies Users Credentials Occurs before authorization Authorization is the process of verifying the authenticated user’s privileges or permissions to access the resources of the system Verification is done by checking the privileges granted to the user in authoritative system such as identity provider Verifies users’ permissions to for specific resources Occurs after authentication
  • 4. | 05-Dec-2021 | Venkatesh Jambulingam | Multifactor authentication (MFA) is a security system that requires more than one method of authentication to verify the user’s identity. It combines two or more independent credentials to verify the identity. Below given are some of the authentication factors. 4 Multifactor Authentication The context within which this information is captured e.g. Geo location, IP address, Links to others, Device used Age Gender Irises Fingerprints Voice Face is Access badge Smart Card Security token Mobile phone ID document has Motor skills Gait Analysis Keystrokes Application use Handwriting Gestures does Password PIN Passphrase Pattern Image knows
  • 5. | 05-Dec-2021 | Venkatesh Jambulingam | 5 One Time Password Hashing algorithms are used to generate OTPs. The algorithms use two inputs to generate the OTP: a seed and a moving factor The seed is a static value (secret key) that’s created when you establish a new account on the authentication server. Based on the moving factor, two types of OTPs are available namely HOTP & TOTP. The “H” in HOTP stands for Hash-based Message Authentication Code (HMAC). HMAC-based One-time Password algorithm (HOTP) is an event-based OTP where the moving factor in each code is based on a counter. OTP code is valid till you request next one. Time-based One-time Password (TOTP) is a time- based OTP. The seed for TOTP is static, just like in HOTP, but the moving factor in a TOTP is time-based rather than counter-based. The amount of time in which each password is valid is called a timestep. 12345678 Secret Key Moving Factor (Counter) HOTP Generator Yubikey OTP 12345678 OTP Secret Key Moving Factor (Time) TOTP Generator Authenticator App
  • 6. | 05-Dec-2021 | Venkatesh Jambulingam | 6 Risk Based / Adaptive Authentication Application Classification Certificates & Authenticators Session Cookie fingerprint Current & Historical Behavior HTTP Headers Geolocation, Geo velocity & IP Reputation Device Type used for login User Profile & Level of Access Low risk Allow Access High Risk Deny Access Medium Risk Step-up Authentication Risk Score Risk Engine It works based on analyzing signals from various sources and arriving at a risk score for a given session. Organization policies define the action to be taken based on the risk score calculated.
  • 7. | 05-Dec-2021 | Venkatesh Jambulingam | ▶Password less authentication is a type of multi-factor authentication (MFA) where passwords are replaced with a more secure authentication factor, such as a fingerprint or a PIN. Password less authentication relies on the same principles as digital certificates: a cryptographic key pair with a private and a public key ▶An individual wishing to create a secure account uses a tool (a mobile app, a browser extension, etc.) to generate a public-private key pair. The private key is stored on the user’s local device and is tied to an authentication factor, such as a fingerprint, PIN, or voice recognition and it can only be accessed with this gesture. ▶The public key is provided to the website, application, browser, or other online system for which the user wants to have an account. 7 Password less Authentication PKI (or Public Key Infrastructure) is the framework of encryption and cybersecurity that protects communications between the server (your website) and the client (the users). Fast Identity Online (FIDO) is an initiative of a group of companies to reduce the use of multiple usernames and passwords through the efficient and interoperable use of authentication factors. A security key is a small physical device that looks like a USB thumb drive and works in addition to your password on sites that support it.
  • 8. | 05-Dec-2021 | Venkatesh Jambulingam | 8 Certificate Based Authentication Processes involved in request/response 3. PIN/Password to access the private key is entered 4.Password is verified and username is extracted from the certificate 1. Login request initiated with the card inserted 7. Sign the challenge with user’s private key 9. Verify the signature using the public key of the user stored in the authentication server and send the AuthN status response 5. Only username is sent 2.Certificate Selection and password prompt for the private key 6. After verifying the username and certificate validity, a random challenge is sent in plain text Validation of server certificate + HTTPS Connection 8.Signed Challenge is sent to the server OCSP CRL Authentication Server Server Trust Store & Cryptography Service Provider Validation of server certificate Validation of user certificate Smart Card or Certificate Store User Smart Card Cryptography Service Provider User Trust Store
  • 9. | 05-Dec-2021 | Venkatesh Jambulingam | ▶Federation (Between different domains) –Federation is the trust relationship that exists between these organizations; it is concerned with where the user’s credentials are actually stored and how trusted third-parties can authenticate against those credentials without actually seeing them ▶SSO (Various apps in single domain) –Single Sign on is used to authenticate and sign in through different applications in the same domain by signing in only once at the IDP side and activating a session 9 SSO / FIM SAML OIDC Federated Identity Management (FIM) Single Sign on (SSO) OAUTH 2.0
  • 10. | 05-Dec-2021 | Venkatesh Jambulingam | ▶Security Assertion Markup Language (SAML) is a XML based protocol used for single sign on (SSO) that supports both authentication and authorization over SOAP/HTTP request between Identity Provider (IDP) & Service Provider (SP). ▶Before the SP can talk to the IdP for identity verification, the two players should define a SAML contract and exchange preliminary information, via metadata, which includes details like: –Public keys (used for encryption), Supported encryption algorithms, Endpoint URLs (where to send SAML messages) –Supported connection methods and Supported XML attribute formats ▶Once both the SP and the IdP know these specifics about each other, they reconfigure themselves accordingly. 10 SAML 1. User attempts to login to service provider directly 2. Service provider redirects the user’s browser to the identity provider 3. User logs into identity provider 4. Identity provider confirms the authentication status as successful 5. SAML assertion is sent to the user’s browser. It contains authN & authZ related information along with corresponding user profile 6. SAML assertion is sent to the service provider by the browser 7. Service provider analyses the response and the user is validated. 8. Access is granted to user based on the authorization data / user profile in the application Service Provider (SP) Identity Provider (IDP)
  • 11. | 05-Dec-2021 | Venkatesh Jambulingam | ▶OIDC is a newer protocol built on top of the OAuth 2.0 framework and uses JSON-based web tokens (JWT) to structure data. ▶JWT is an industry standard used to define the rules to represent and securely transfer claims between two parties namely Identity Provider (IDP) & Relying Party (RP). Claims are encrypted, sensitive user data, used to support identity verification. ▶OIDC scopes define the claims (the user attributes) that an application can have access to. The IDP maintains a list of acceptable scopes and after a user explicitly consents to sharing their details (which includes the scopes), the IDP makes the scopes available to the relying party (application). ▶Before communicating, the Relying Party (RP) and the IDP must exchange metadata. Both parties must agree on possible scopes, the IDP must assign a secret and client-ID to the RP, and the RP must share the endpoint to receive codes and tokens. 11 OIDC 1. User attempts to login to service provider directly 2. Service provider redirects the user’s browser to the identity provider 3. User logs into identity provider 4. Identity provider confirms the authentication status as successful. Users are prompted to grant the application access to their data (specified by the requested scopes). 5. JWT is sent to the user’s browser. It contains authN & authZ related information along with corresponding user profile 6. JWT is sent to the service provider by the browser 7. Service provider analyses the response and the user is validated. 8. Access is granted to user based on the authorization data / user profile in the application Relying Party (RP) Identity Provider (IDP)
  • 12. | 05-Dec-2021 | Venkatesh Jambulingam | 12 SAML VS OIDC ▶SAML is an authentication & authorization protocol that has been in use for long time. ▶SAML uses XML to exchange information. SAML Assertions/Tokens are larger, and relatively difficult to process. ▶Does not support user consent natively but can be achieved with extensive manual development ▶Since SAML has been around for much longer, it’s still trusted by a lot of organizations, including government entities. It’s certainly more feature-rich. ▶Suited for organizations and B2B Setup ▶OIDC is a newer protocol and is built on top of the OAuth 2.0 framework ▶OIDC uses JWTs, which are smaller in size, and require lightweight processing. ▶OIDC supports user consent by default. ▶OIDC is now starting to catch up with features supported by SAML ▶Suited for B2C setup and supports authenticating modern application types like single-page applications (SPAs) and smartphone applications.
  • 13. Thank you Creative Commons By Non Commercial Share Alike This document is shared under CC BY-NC-SA 4.0 license
  • 14. | 05-Dec-2021 | Venkatesh Jambulingam | 14 About me Venkatesh Jambulingam Cloud Security Expert Email: cybervattam@gmail.com cybervattam@outlook.com Follow me on