IdP, SAML, OAuth are new acronyms for identity in the cloud. SAML is used for federated authentication between an identity provider (IdP) like Active Directory and a service provider (SP) like Office 365. The IdP authenticates the user and sends a SAML token with claims to the SP. OAuth streamlines authentication for mobile by issuing short-lived access tokens instead of passing full credentials or SAML assertions between each service. It allows authorization without passwords and tokens can be revoked, reducing risks of compromised apps. Office 365 uses Azure Active Directory as an IdP with SAML or OAuth to authenticate users from an on-premises Active Directory via federation or synchronization.
11. Definition of Terms
SAML
• Security Assertion Markup Language
Oauth
• Open standard for authorization
Federation
• You’ve authenticated to a different system than the one you’re tyring to access and your identity
has been proven by a 3rd party and on that basis you’re being allowed to this system
18. Why not use Active Directory?
Bad admin
>>passwords.txt
19. Why not use Active Directory?
No Trust
Bad admin
>>passwords.txt
20. IdP / SP Architecture
SaaS Solution Enterprise
Service
Provider
(SP)
Identity
Provider
(IDP)
Trust
Claims
LDAP
Signed
Active Directory
21. Common IdP’s
Ping Identity PingFederate
CA SiteMinder
Microsoft ADFS
Shibboleth
Okta
22. Microsoft ADFS
ADFS 1.0 - Part of Windows 2003 R2
ADFS 1.1 - Part of Windows 2008 and R2 (Installed as Role from Server Mgr)
Used SAML 1.x so forget about these
23. Microsoft ADFS
ADFS 2.0 - Released after Windows 2008 R2 as a standalone download
ADFS 2.1 - Part of Windows Server 2012 and installed as a Role
ADFS 3.0 - Part of Windows Server 2012 R2 and installed as a Role Service
ADFS 2.x rely on IIS
ADFS 3.x is built on http.sys (IIS is not installed or needed)
27. IDP trusts Service Provider: Relying Party ID
When a user requests claims
from this Federation Service for
the relying party, the relying party
identifier will be used to identify
the relying party for which the
claims should be targeted
Translate: Match incoming SP
request to IdP Relying Party
Trust configuration
28. IDP trusts Service Provider: Signature
SAML request from the Service
Provider is signed
Not always used
31. IdP / SP Architecture
Authentication (AuthN)
SaaS Solution Enterprise
Service
Provider
(SP)
Identity
Provider
(IDP)
Trust
LDAP
Active Directory
32. ADFS Authentication
ADFS
Proxy
ADFS
Server
Enterprise
LDAP
Active Directory
ADFS Proxy - 2.x
Web Application Proxy - 3.x
33. ADFS Authentication
Basic Authentication
• Username & password sent in clear
text over network
• You should always use SSL/TLS
Windows Integrated (IWA)
• Kerberos, NTLMSSP
• Can work silently / background
34. ADFS Authentication
Forms
• Webpage
• 2FA
• Works with virtually any device
X509 / Client Certificates
35. ADFS Authentication Matrix
ADFS 2.x ADFS 2.x Proxy ADFS 3.x Web Application
Proxy
Basic Auth
Windows Integrated
Forms
X509 / Client Cert
38. IdP / SP Architecture
Claims
SaaS Solution Enterprise
Service
Provider
(SP)
Identity
Provider
(IDP)
Trust
Claims
LDAP
Signed
Active Directory
39. Claims
SAML assertions contain claims
Attribute claims contain information about the user (email address)
Transformations can convert / modify data before creating the claim
43. IdP / SP Architecture
What does a SP do with the claim?
Verify trust information (cert)
Match claim against an user object in
its database/directory
This database usually needs to be pre-populated
although it is possible to use
the assertion / claims to do this
SaaS Solution
Service
Provider
(SP)
Claims
Signed
44. IdP / SP Architecture
Claims
SaaS Solution Enterprise
Service
Provider
(SP)
Identity
Provider
(IDP)
Trust
Claims
LDAP
Signed
Active Directory
Populate with
accounts
61. Office 365 & Azure Active Directory Services
Identity
Provider
(IDP)
Service
Provider
(SP) Azure Active Directory
Local Active Directory
Claims
62. Office 365 & Azure Active Directory Services
Identity
Provider
(IDP)
Service
Provider
(SP) Azure Active Directory
Local Active Directory
63. Office 365 & Azure Active Directory Services
Identity
Provider
(IDP)
Service
Provider
(SP) Azure Active Directory
Local Active Directory
64. DirSync
DirSync populates Azure Active Directory
with user accounts and groups from a
local Active Directory
http://blogs.office.com/2014/04/15/synchronizing-your-directory-with-office-365-is-easy/
73. Office 365 Federated Login
Authorization succeeds, account is
matched to O365 mail account
74. Problem Solved?
How many times would you want to do this on a mobile device?
SAML / WS-Federation is a heavy process
2-factor authentication is a common enterprise
IdP implementation
Cumbersome to end users
75. Problem Solved?
How can we streamline AuthN?
Cache password on mobile device
• What about 2FA?
• Apps get complete access to a users account
• Users can’t revoke access to an app / device except by
changing their password
• Compromised apps expose the user’s password
• Remember WebDav?
76. Enter OAuth
AuthZ
Authorization (AuthZ) without passwords
Tokens can be revoked
Tokens can be scoped
Tokens can be time-limited
Lightweight
77. Example OAuth Token
{"expires_in”:28800,"token_type":"bearer","apicp":"sharefile.com",
"access_files_folders":true,"change_my_settings":true,"admin_users”
:true,"expires_at_unix":"1,405,816,443.33826","refresh_token":"m5r
U7aWB….","subdomain":"danbrinkmann","modify_files_folders":true,
"web_app_login":true,"admin_accounts":true,"appcp":"sharefile.com",
"access_token":"m5rU7aWB….."}
78. OAuth vs SAML Token
And I even trimmed out the signing certificate of the SAML Token
{"expires_in”28800,"token_type":"beare
r","apicp":"sharefile.com”,"access_fil
es_folders":true,"change_my_settings":
true,"admin_users”:true,"expires_at_un
ix":"1,405,816,443.33826","refresh_tok
en":"m5rU7aWB….","subdomain":"danbrink
mann","modify_files_folders":true,"web
_app_login":true,"admin_accounts":true
,"appcp":"sharefile.com”,"access_token
":"m5rU7aWB….."}
<samlp:Response ID="_97c40e4a-d04e-409d-8ecc-1a2728f87873" Version="2.0" IssueInstant="2013-
01-21T17:50:41.470Z" Destination="https://onprem.sharefile.com/saml/acs"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="_ef94eec3026e4b49b86d6d162a3def59"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.sharefiletest.com/adfs/services/trus
t</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"
/></samlp:Status><Assertion ID="_f1ad9c25-5632-414e-9b9c-e80d08c1f3ca" IssueInstant="2013-01-
21T17:50:41.470Z" Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>http://adfs.sharefiletest.com/adfs/servi
ces/trust</Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ds:Reference URI="#_f1ad9c25-5632-
414e-9b9c-e80d08c1f3ca"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/><ds:DigestValue>KXdq8sGKJoFSBSB9YkF9LN7/8Ik=</ds:DigestValue></ds:Reference></ds:SignedInfo>
<ds:SignatureValue>aUaw…dzA==</ds:SignatureValue><KeyInfo
xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC…KOw==</ds:X50
9Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:
emailAddress">juliano.maldaner@citrix.com</NameID><SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData
InResponseTo="_ef94eec3026e4b49b86d6d162a3def59" NotOnOrAfter="2013-01-21T17:55:41.470Z"
Recipient="https://onprem.sharefile.com/saml/acs"
/></SubjectConfirmation></Subject><Conditions NotBefore="2013-01-21T17:50:41.467Z"
NotOnOrAfter="2013-01-
21T18:50:41.467Z"><AudienceRestriction><Audience>http://onprem.sharefile.com/saml/info</Audien
ce></AudienceRestriction></Conditions><AttributeStatement><Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"><AttributeValue>juliano.malda
ner@citrix.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement
AuthnInstant="2013-01-21T17:50:41.429Z" SessionIndex="_f1ad9c25-5632-414e-9b9c-e80d08c1f3ca"><
AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</Authn
ContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
79. OAuth in Consumer Lives
Creating a separate username /
password not required
82. How OAuth is used in Enterprise Apps
Instead of AuthN each time use AuthZ
Protect mobile application using PIN / Passcode
83. Mobile App Solution
Authenticate
via
IdP
(FTU)
Exchange
SAML Token for
OAuth Token
Use OAuth
Access Token to
access the
application
84. Mobile App Solution
If the Access
Token fails get a
new one using
the Refresh
Token
If the Refresh
Token fails then
prompt user to
re-authenticate
Re-authenticate
via IdP
85. Summary
Federation necessary for next-generation & mobile applications
Authentication
(AuthN)
Authorization
(AuthZ)
SAML OAuth
with refresh token
send API request with access token
If access token is invalid, try to update it using refresh token
if refresh request passes, update the access token and re-send the initial API request
If refresh request fails, ask user to re-authenticate