Shibboleth-basedhybrid authentication    MobCom Workshop    February 6th, 2013        Faysal Boukayoua - MSEC
2                       Overview    • Intro    • Motivation    • Prototype      – Approach      – Interactions      – Eval...
3                                                  Intro                                                Context           ...
4                                                                            Intro                                        ...
5                                                                                      Intro                              ...
6                                  Intro                     What is Shibboleth?    • Federated identity management      m...
7                                                Intro                             Shibboleth authentication    User      ...
8                                         Intro                        MSEC’s IdM architecture     IdPX                   ...
9                                             Motivation                           Shibboleth             MSEC’s arch.Must...
10                                        Motivation (2)                             Shibboleth          MSEC’s arch.Must ...
11                                                         Prototype                                                      ...
12                                                                                 Prototype                              ...
13                                   Prototype                                   Evaluation     •   User consent     •   S...
14     Prototype         Demo
Upcoming SlideShare
Loading in …5
×

Shibboleth-based hybrid authentication

1,704 views

Published on

Demonstrator presentation for a prototype in which a hybrid counterpart of claim-based and network-based authentication, is validated. The network-based instance is Shibboleth, while the claim-based one is MSEC's (KaHo Sint-Lieven) privacy-preserving IdM architecture. After the introduction of a few concepts, the raison d'être for this prototype is presented. Subsequently, the followed approach and and an evaluative conclusion are put forth.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,704
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
30
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Shibboleth-based hybrid authentication

  1. 1. Shibboleth-basedhybrid authentication MobCom Workshop February 6th, 2013 Faysal Boukayoua - MSEC
  2. 2. 2 Overview • Intro • Motivation • Prototype – Approach – Interactions – Evaluation – Demo
  3. 3. 3 Intro Context MobCom Loyalty cards & Context-aware Flexible Access discount services Control vouchers Shibboleth- based hybrid authentication
  4. 4. 4 Intro The old days University A Student Admin Web Mail e-Learning Library B e-Journals Literature DB University C Research DB e-Learning User Administration Authorization Resource Credentials AuthenticationSource: SWITCHaai (http://goc.pragma-grid.net/pragma-doc/pragma-summit/aai_introduction.ppt)
  5. 5. 5 Intro Now University A AAI Student Admin Web Mail e-Learning Library B e-Journals Literature DB University C Research DB e-Learning User Administration Authorization Resource Credentials AuthenticationSource: SWITCHaai (http://goc.pragma-grid.net/pragma-doc/pragma-summit/aai_introduction.ppt)
  6. 6. 6 Intro What is Shibboleth? • Federated identity management middleware • Interorganisational: – identities – trust • SAML 2.0-compliant • Widely in use
  7. 7. 7 Intro Shibboleth authentication User User’s browser Identity provider Service provider 1. Request resource 2. Redirect to IdP 3. Prompt for authentication 4. Authenticate 5. Assert attributes and redirect 6. Return resource
  8. 8. 8 Intro MSEC’s IdM architecture IdPX 1. Mutual auth. 2. Attribute_query IdPY SPi 5. Release_attrs IdPZ 3. Review 4. Confirm • Smartcard technology query • Support for:  Mutable and new attributes  Pseudonimity and anonymity  Multiple identity providers  Separation between IdPs and SPs User
  9. 9. 9 Motivation Shibboleth MSEC’s arch.Must modify Default: no Yesworkstation?Standards &interoperabilityStrong authentication Default: passwords YesUser consent Default: no YesSelective disclosure Default: no YesTrust in IdPSP-IdP collusion Yes No
  10. 10. 10 Motivation (2) Shibboleth MSEC’s arch.Must modify Default: no Yesworkstation?Standards &interoperability Can we: •Strong authentication maintain strengths? Default: passwords Yes • mitigate drawbacks?User consent Default: no YesSelective disclosure Default: no YesTrust in IdPSP-IdP collusion Yes No
  11. 11. 11 Prototype Approach IdPX 2. Mutual auth. 3. Attribute_query IdPY 6. Release_attrs Shibboleth Identity Provider IdPZ 7. SAML 1. SAML attribute attribute 4. Review 5. Confirm assertion query query Shibboleth User Service Provider
  12. 12. 12 Prototype Interactions Phone + User’s secure µSD User browser Identity provider Service Provider 1. Request resource 2. Redirect 3. Show QR challenge 4. Scan QR challenge 5. Show feedback 6. Review and consent 8. Authenticate 9. Disclose requested attributes 10. Assert attributes and redirect 11. Return resource
  13. 13. 13 Prototype Evaluation • User consent • Selective disclosure • Resilience against phishing • Shibboleth SP unmodified • Portable across workstations • Less trust in Shibboleth IdP
  14. 14. 14 Prototype Demo

×