Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

A presentation about Authentication I did at the local geekmeet meetup. Some examples of outsourced authenticaton using CAMS/Shibboleth/OpenID

Published in: Technology
  • Be the first to comment


  1. 2. AAA <ul><li>Authentication (topic of the day) </li></ul><ul><li>Authorization </li></ul><ul><li>Accounting </li></ul>
  2. 3. Why 3 A’s ? <ul><li>It’s more modular/flexible </li></ul><ul><li>More secure </li></ul><ul><li>Good code/design practice </li></ul>
  3. 4. Authentication <ul><li>Basic security requirement </li></ul><ul><li>Request some form of authentication from a user, server or software </li></ul><ul><li>Verify that the authentication information received is correct </li></ul>
  4. 5. Authentication Mechanisms <ul><li>Something you know </li></ul><ul><li>Something you have </li></ul><ul><li>Something you are </li></ul>
  5. 6. Something you know <ul><li>Username </li></ul><ul><li>Password </li></ul><ul><li>Answer to a question (think CAPTCHA) </li></ul>
  6. 7. Something you have <ul><li>IP Address </li></ul><ul><li>Security Token </li></ul><ul><li>Electronic signature </li></ul>
  7. 8. Something you are <ul><li>Fingerprint </li></ul><ul><li>Iris scan </li></ul><ul><li>Other biometric scans </li></ul>
  8. 9. So what does all that do? <ul><li>It proves that you are a… </li></ul>
  9. 10. <ul><li>Directory Entry </li></ul>
  10. 11. Who authenticates a user? <ul><li>Your application </li></ul><ul><li>Someone else (outsourcing is cool) </li></ul>
  11. 12. Auth in Your application <ul><li>You have the list of users/passwords </li></ul><ul><li>You have control </li></ul><ul><li>The user doesn’t have control </li></ul><ul><li>Doesn’t scale (for you or for your users) </li></ul>
  12. 13. Scaling problem for you <ul><li>If you have multiple sites/services there’s no easy way to share accounts </li></ul><ul><li>Duplication of user data and more configuration </li></ul><ul><li>… </li></ul>
  13. 14. Scaling problem for the user <ul><li>I have: </li></ul><ul><ul><li>5 email/webmail accounts </li></ul></ul><ul><ul><li>2-3 im accounts </li></ul></ul><ul><ul><li>2 secure tokens for electronic banking </li></ul></ul><ul><ul><li>10+ linux accounts </li></ul></ul><ul><ul><li>200+ user accounts on various websites (most of which I don’t even remember I have) </li></ul></ul><ul><ul><li>..and the list goes on </li></ul></ul>
  14. 15. Outsourced/Distributed Authentication <ul><li>Clear separation of functionality </li></ul><ul><li>Better control/storage of user database </li></ul><ul><li>Main advantages are increased scalability and SSO (Single Sign On) </li></ul>
  15. 16. Some concepts
  16. 17. Identity Provider <ul><li>a computer system that issues credentials to individual end users and also verifies that the issued credentials are valid. </li></ul><ul><li>For OpenID it’s called an OpenID Provider </li></ul><ul><li>Both creates the usernames/openids/etc. and does the authentication for them. </li></ul>
  17. 18. Service Provider <ul><li>The site that wants to verify the end-user's identifier. </li></ul><ul><li>Also called “Relying Party” </li></ul>
  18. 19. Outsourced Authentication Types <ul><li>Centralized (CAMS, or your own solution) </li></ul><ul><li>Federated (Shibboleth) </li></ul><ul><li>Decentralized (OpenID) </li></ul>
  19. 20. CAMS <ul><li>Proprietary ( ) </li></ul><ul><li>Integration with J2EE servers, Apache </li></ul><ul><li>Pretty good documentation/resources for a closed/commercial solution </li></ul>
  20. 21. CAMS Architecture
  21. 22. Centralized Authentication <ul><li>You can make your own </li></ul><ul><li>Allows better control over Authentication, but also provides more possibilities for Authorization and Accounting </li></ul><ul><li>Single point for improvements </li></ul><ul><li>..but also Single Point of Failure… </li></ul>
  22. 23. Shibboleth
  23. 24. Shibboleth <ul><li>Federated authentication and authorization. </li></ul><ul><li>Open-source and based on open standards (OpenSAML) </li></ul><ul><li>Used in Higher Education in England/Germany </li></ul><ul><li> </li></ul>
  24. 25. Shibboleth - Federated <ul><li>IdPs and SPs are grouped into Federations </li></ul><ul><li>Federations are based on Trust </li></ul><ul><li>Example: UK Higher Education Federation, Deutsches Forschungsnetz Federation </li></ul>
  25. 26. Shibboleth - Advantages <ul><li>Best suited for Universities or other types of institutions </li></ul><ul><li>A service provider only needs to know I am from University/Institution X (which they provide a service to) and not who exactly I am </li></ul><ul><li>Where Are You From service – easy finding of your IdP </li></ul>
  26. 27. Shibboleth – Browser POST
  27. 28. Shibboleth – Browser Artifact
  28. 29. Shibboleth - WAYF
  29. 30. Shibboleth - Support <ul><li>Everything is open-source and there’s a lot of documentation available </li></ul><ul><li>Apache2 module available </li></ul><ul><li>JAAS SecurityFilter available </li></ul><ul><li>Some WAYF implementation samples available </li></ul>
  30. 31. OpenID
  31. 32. OpenID <ul><li>Is: </li></ul><ul><ul><li>An open, decentralized single-sign-on standard </li></ul></ul><ul><ul><li>a URL </li></ul></ul><ul><ul><li>A Foundation </li></ul></ul><ul><ul><li>A buzzword </li></ul></ul>
  32. 33. OpenID - Advantages <ul><li>+ open </li></ul><ul><li>+ gained wide adoption from major players (Google, Microsoft, Yahoo!) </li></ul><ul><li>+ fully decentralized </li></ul><ul><li>+ lots of application/framework/language support </li></ul>
  33. 34. OpenID - Disadvantages <ul><li>- an OpenID is a URL </li></ul><ul><li>- no standard/specification way for something like a wayf service </li></ul><ul><li>- no trust network </li></ul><ul><li>- big phishing target </li></ul>
  34. 35. OpenID – Demo(s)
  35. 36. Q&A