SlideShare a Scribd company logo

Federated and fabulous identity

Download as PPTX, PDF
A
Andre N. Klingsheim

This document discusses federated identity and how it allows different companies to provide access to resources based on a user's identity asserted by another company. It describes how WS-Federation is an industry standard that defines mechanisms for security realms to federate. Key components of federated identity systems are discussed, including identity providers, security token services, relying parties, and security tokens that contain claims about a user. Architectural advantages of federated identity like single sign-on and flexibility in building applications are highlighted. Windows Identity Foundation and Active Directory Federation Services are presented as frameworks for building federated identity applications.

Technology
1 of 24
Federated and fabulous identity André N. Klingsheim - @klingsen AppSec AS Dataforeningen 18.09.2013
Outline • Federated Identity • WS-Federation • Architectural advantages • Building federated identity systems • Demo
Federated identity • Federation – A federation is a collection of realms that have established a producer-consumer relationship whereby one realm can provide authorized access to a resource it manages based on an identity, and possibly associated attributes, that are asserted in another realm*.  TL;DR: A company can give access to a resource based on an identity asserted by another company. • Identity – The identity of an individual is the set of information associated with that individual in a particular computer system.**  Can be extended to system entities, such as computers/service accounts.  The term "principal" is used to refer to system entities/individuals in computer systems. ** S. T. Kent and L. I. Millett, editors, Who Goes There? Authentication Through the Lens of Privacy, The National Academies Press, 2003 * Web Services Federation Language (WS-Federation), Version 1.1, December 2006
The problem at hand User Collaboration website https://collaboration.partner.com My company (Realm) Partner company (Realm)
The classic approach • Partner company maintains a user database for its application • Each user from our company is assigned an account for partner's application • Typical login: username/password • Many partner websites -> many usernames/passwords • Challenging to maintain these userIDs  User quits the company, internal account closed. What about accounts in all partnering companies' applications?  Challenging to keep track of who has access to what  No central management of Ids • Federated identity to the rescue!
WS-Federation • Web Services Federation Language  Contributors: Microsoft, IBM, Novell, Verisign and more.  Industry standard, freely available.  Builds upon WS-Security and WS-Trust. • Defines mechanisms to allow different security realms to federate • Focused on web services • Also includes specification for Web (Passive) Requestors  Enables the WS-Federation protocol to be run through a web browser  Involves real people!  We'll be focusing on the web scenario.
The building blocks • Trust - Trust is the characteristic that one entity is willing to rely upon a second entity to execute a set of actions and/or to make set of assertions* about a set of subjects and/or scopes. • Claims based identity • Claim – A claim is a declaration made by an entity (e.g. name, identity, key, group, privilege, capability, etc). • Means to (securely) communicate identity information between realms • Security Token – A security token represents a collection (one or more) of claims. * Claim and assertion are synonyms
Important roles • Identity Provider (IP) – An Identity Provider is an entity that acts as an authentication service to end requestors and a data origin authentication service to service providers. • Security Token Service (STS) - A Security Token Service is a Web service that provides issuance and management of security tokens. • Relying Party – A Web application or service that consumes Security Tokens issued by a Security Token Service.
Security token • Contains claims about the user  Typical claims: Username, user's name, e-mail address, groups (for authz) • Signed by STS  RP can verify that it was issued by a trusted STS  Tamper-proof • Lifetime (valid from/to) • Intended for a particular RP • Can also be encrypted -> only the intended RP can decrypt it • Can be on different formats, often SAML
Security token "IRL"
Federation "IRL" User Norway USA IP STS Relying party
User My company (Realm) Partner company (Realm) IP STS Relying party Authenticate Relying party Another partner company (Realm)
Architectural advantages • Separates authentication logic from application • Enables single-sign-on for a suite of applications  Provides a seamless experience across stand-alone applications • Yields great flexibility when building e.g. an online bank  Different services can be provided through separate applications  Simplifies releases  Makes it easier for multiple teams to work in parallell  Opens the possibility to host different applications in separate environments  E.g. some apps hosted locally, some apps hosted in the cloud  Simplifies integration of third party applications  Facilitates privacy-by-design, carefully selecting claims provided to various applications
How we used to do things Authentication Accounts/payment Stocks/fund Debit/credit cards Loans Personal finance Sample online banking application
How we can do things now Sample online banking application suite Authentication IP/STS Personal finance Accounts/payment Stocks/fund Debit/credit cards Loans RPs
A few challenges • Providing flexibility in common functionality  Handling change to "shared" menus etc. • Care must be taken with regards to session management
Building federated identity systems • We need minimum three things, an IP, an STS, and an RP • The RP usually contains the features (customer value). Everyone wants this! • IPs and STSs, you build because you have to (though some of us thinks it's great fun) • Want to spend as much time as possible on building the fun stuff – features. • Authentication as a service?
Windows Identity Foundation • Framework for building identity-aware applications • Included in the .NET Framework 4.5  Available as a separate library before .NET 4.5 • Provides APIs for building Relying Parties and STSs  Provides a programming model for working with claims based identity • Provides out-of-the-box functionality for RPs
AD FS • Active Directory Federation Services • AD-integrated STS • Included in Windows Server 2008/2012 • Enables federation of AD-identities • Seamless experience for users
AD FS User AD FS https://adfs.domain.com/STS AD Collaboration website https://collaboration.partner.com My company Partner company STSSTSIP RP
ACS • Windows Azure Active Directory Access Control (aka ACS) • Cloud based service • Facilitates authentication and manages authorization of users • Supports several identity providers  AD FS  Windows Live ID / Google / Yahoo! / Facebook • Windows Identity Foundation integration
ACS User Usefulwebsite https ://usefulwebsite .mycompany .com ACS Windows Live ID Google My companyCloud
Demo!
Thank you! André N. Klingsheim - @klingsen AppSec AS www.dotnetnoob.com

Recommended

Planning Your Cloud Strategy
Planning Your Cloud StrategyPlanning Your Cloud Strategy
Planning Your Cloud Strategy
Uthaiyashankar
 
Reinforcing Your Enterprise With Security Architectures
Reinforcing Your Enterprise With Security ArchitecturesReinforcing Your Enterprise With Security Architectures
Reinforcing Your Enterprise With Security Architectures
Uthaiyashankar
 
Identity and Access Management in the Era of Digital Transformation
Identity and Access Management in the Era of Digital TransformationIdentity and Access Management in the Era of Digital Transformation
Identity and Access Management in the Era of Digital Transformation
Uthaiyashankar
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
Mohammad Yousri
 
Secure Elements in Web Applications
Secure Elements in Web ApplicationsSecure Elements in Web Applications
Secure Elements in Web Applications
Olivier Potonniée
 
Mashing Up with User-centric Identity
Mashing Up with User-centric IdentityMashing Up with User-centric Identity
Mashing Up with User-centric Identitykkjjkevin03
 
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePointHow Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
AntonioMaio2
 
CLOUD COMPTUING
CLOUD COMPTUINGCLOUD COMPTUING
CLOUD COMPTUINGGolu Gupta
 

Recommended

Planning Your Cloud Strategy
Planning Your Cloud StrategyPlanning Your Cloud Strategy
Planning Your Cloud Strategy
Uthaiyashankar
 
Reinforcing Your Enterprise With Security Architectures
Reinforcing Your Enterprise With Security ArchitecturesReinforcing Your Enterprise With Security Architectures
Reinforcing Your Enterprise With Security Architectures
Uthaiyashankar
 
Identity and Access Management in the Era of Digital Transformation
Identity and Access Management in the Era of Digital TransformationIdentity and Access Management in the Era of Digital Transformation
Identity and Access Management in the Era of Digital Transformation
Uthaiyashankar
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
Mohammad Yousri
 
Secure Elements in Web Applications
Secure Elements in Web ApplicationsSecure Elements in Web Applications
Secure Elements in Web Applications
Olivier Potonniée
 
Mashing Up with User-centric Identity
Mashing Up with User-centric IdentityMashing Up with User-centric Identity
Mashing Up with User-centric Identitykkjjkevin03
 
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePointHow Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
AntonioMaio2
 
CLOUD COMPTUING
CLOUD COMPTUINGCLOUD COMPTUING
CLOUD COMPTUINGGolu Gupta
 
Primend Pilvesminar - Enterprise Cloud Suite
Primend Pilvesminar - Enterprise Cloud SuitePrimend Pilvesminar - Enterprise Cloud Suite
Primend Pilvesminar - Enterprise Cloud Suite
Primend
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using Claims
Volkan Uzun
 
SharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based AuthenticationSharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based AuthenticationJonathan Schultz
 
Devi
DeviDevi
DeviJAYAARC
 
Pki Digital Id Itmc University Wisconsin
Pki Digital Id Itmc University WisconsinPki Digital Id Itmc University Wisconsin
Pki Digital Id Itmc University WisconsinNicholas Davis
 
Wif and sl4 (en)
Wif and sl4 (en)Wif and sl4 (en)
Wif and sl4 (en)Nuno Godinho
 
Cram Class - Lesson 1
Cram Class - Lesson 1Cram Class - Lesson 1
Cram Class - Lesson 1
AlexsCloud
 
Essential MDM configurations
Essential MDM configurationsEssential MDM configurations
Essential MDM configurations
Peter Hewer
 
Identity Management
Identity ManagementIdentity Management
Identity Management
Venkatesh Jambulingam
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authentication
MecklerMedia
 
KDAC
KDACKDAC
KDACDeborah Goldsmith
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
20040928-Collaboration-Kosaka.ppt
20040928-Collaboration-Kosaka.ppt20040928-Collaboration-Kosaka.ppt
20040928-Collaboration-Kosaka.pptVideoguy
 
Gestión de identidad en Cloud
Gestión de identidad en CloudGestión de identidad en Cloud
Gestión de identidad en CloudIbon Landa
 
SSO - Presentation
SSO - PresentationSSO - Presentation
SSO - PresentationChristopher Thant
 
It survey
It surveyIt survey
It survey
Laura De Laender
 
Complete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsComplete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIs
Xing (Xingheng) Wang
 
Presentation4 Test
Presentation4 TestPresentation4 Test
Presentation4 Test
Robert Wilson
 
OISC2013_Presentation
OISC2013_PresentationOISC2013_Presentation
OISC2013_PresentationAustin Nagel
 
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CloudIDSummit
 
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
CA Technologies
 
CIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated IdentityCIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated Identity
CloudIDSummit
 

More Related Content

What's hot

Primend Pilvesminar - Enterprise Cloud Suite
Primend Pilvesminar - Enterprise Cloud SuitePrimend Pilvesminar - Enterprise Cloud Suite
Primend Pilvesminar - Enterprise Cloud Suite
Primend
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using Claims
Volkan Uzun
 
SharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based AuthenticationSharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based AuthenticationJonathan Schultz
 
Pki Digital Id Itmc University Wisconsin
Pki Digital Id Itmc University WisconsinPki Digital Id Itmc University Wisconsin
Pki Digital Id Itmc University WisconsinNicholas Davis
 
Cram Class - Lesson 1
Cram Class - Lesson 1Cram Class - Lesson 1
Cram Class - Lesson 1
AlexsCloud
 
Essential MDM configurations
Essential MDM configurationsEssential MDM configurations
Essential MDM configurations
Peter Hewer
 
Identity Management
Identity ManagementIdentity Management
Identity Management
Venkatesh Jambulingam
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authentication
MecklerMedia
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
20040928-Collaboration-Kosaka.ppt
20040928-Collaboration-Kosaka.ppt20040928-Collaboration-Kosaka.ppt
20040928-Collaboration-Kosaka.pptVideoguy
 
Gestión de identidad en Cloud
Gestión de identidad en CloudGestión de identidad en Cloud
Gestión de identidad en CloudIbon Landa
 
It survey
It surveyIt survey
It survey
Laura De Laender
 
Complete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsComplete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIs
Xing (Xingheng) Wang
 
Presentation4 Test
Presentation4 TestPresentation4 Test
Presentation4 Test
Robert Wilson
 
OISC2013_Presentation
OISC2013_PresentationOISC2013_Presentation
OISC2013_PresentationAustin Nagel
 

What's hot (19)

Primend Pilvesminar - Enterprise Cloud Suite
Primend Pilvesminar - Enterprise Cloud SuitePrimend Pilvesminar - Enterprise Cloud Suite
Primend Pilvesminar - Enterprise Cloud Suite
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using Claims
 
SharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based AuthenticationSharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based Authentication
 
Devi
DeviDevi
Devi
 
Pki Digital Id Itmc University Wisconsin
Pki Digital Id Itmc University WisconsinPki Digital Id Itmc University Wisconsin
Pki Digital Id Itmc University Wisconsin
 
Wif and sl4 (en)
Wif and sl4 (en)Wif and sl4 (en)
Wif and sl4 (en)
 
Cram Class - Lesson 1
Cram Class - Lesson 1Cram Class - Lesson 1
Cram Class - Lesson 1
 
Essential MDM configurations
Essential MDM configurationsEssential MDM configurations
Essential MDM configurations
 
Identity Management
Identity ManagementIdentity Management
Identity Management
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authentication
 
KDAC
KDACKDAC
KDAC
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
20040928-Collaboration-Kosaka.ppt
20040928-Collaboration-Kosaka.ppt20040928-Collaboration-Kosaka.ppt
20040928-Collaboration-Kosaka.ppt
 
Gestión de identidad en Cloud
Gestión de identidad en CloudGestión de identidad en Cloud
Gestión de identidad en Cloud
 
SSO - Presentation
SSO - PresentationSSO - Presentation
SSO - Presentation
 
It survey
It surveyIt survey
It survey
 
Complete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsComplete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIs
 
Presentation4 Test
Presentation4 TestPresentation4 Test
Presentation4 Test
 
OISC2013_Presentation
OISC2013_PresentationOISC2013_Presentation
OISC2013_Presentation
 

Viewers also liked

CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CloudIDSummit
 
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
CA Technologies
 
CIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated IdentityCIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated Identity
CloudIDSummit
 
Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls
Kingsley Uyi Idehen
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in Practice
ForgeRock
 
OpenAM - An Introduction
OpenAM - An IntroductionOpenAM - An Introduction
OpenAM - An Introduction
ForgeRock
 

Viewers also liked (6)

CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
 
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
 
CIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated IdentityCIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated Identity
 
Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in Practice
 
OpenAM - An Introduction
OpenAM - An IntroductionOpenAM - An Introduction
OpenAM - An Introduction
 

Similar to Federated and fabulous identity

NIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraNIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraMorgan Simonsen
 
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityOliver Pfaff
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptx
TrongMinhHoang1
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
Brian Culver
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and Identity
FredBrandonAuthorMCP
 
20160304 blockchain in fsi client ready raymond
20160304 blockchain in fsi client ready raymond20160304 blockchain in fsi client ready raymond
20160304 blockchain in fsi client ready raymond
Meng-Ru (Raymond) Tsai
 
Common Data Service – A Business Database!
Common Data Service – A Business Database!Common Data Service – A Business Database!
Common Data Service – A Business Database!
Pedro Azevedo
 
Null talk
Null talkNull talk
Null talk
Agam Jain
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?
rlsoft
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
Paul Trevithick
 
Safenet Authentication Service, SAS
Safenet Authentication Service, SASSafenet Authentication Service, SAS
Safenet Authentication Service, SAS
robbuddingh
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems
Maganathin Veeraragaloo
 
Citrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile EnterpriseCitrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile Enterprise
Digicomp Academy AG
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricSpiffy
 
IBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsIBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for Protocols
Sandeep Patil
 

Similar to Federated and fabulous identity (20)

NIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraNIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud Era
 
Web-services
Web-services Web-services
Web-services
 
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptx
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and Identity
 
20160304 blockchain in fsi client ready raymond
20160304 blockchain in fsi client ready raymond20160304 blockchain in fsi client ready raymond
20160304 blockchain in fsi client ready raymond
 
Common Data Service – A Business Database!
Common Data Service – A Business Database!Common Data Service – A Business Database!
Common Data Service – A Business Database!
 
Null talk
Null talkNull talk
Null talk
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
 
Safenet Authentication Service, SAS
Safenet Authentication Service, SASSafenet Authentication Service, SAS
Safenet Authentication Service, SAS
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems
 
Citrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile EnterpriseCitrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile Enterprise
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App Fabric
 
IBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsIBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for Protocols
 

Recently uploaded

Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
Pixlogix Infotech
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Zilliz
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 

Recently uploaded (20)

Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 

Federated and fabulous identity

  • 1. Federated and fabulous identity André N. Klingsheim - @klingsen AppSec AS Dataforeningen 18.09.2013
  • 2. Outline • Federated Identity • WS-Federation • Architectural advantages • Building federated identity systems • Demo
  • 3. Federated identity • Federation – A federation is a collection of realms that have established a producer-consumer relationship whereby one realm can provide authorized access to a resource it manages based on an identity, and possibly associated attributes, that are asserted in another realm*.  TL;DR: A company can give access to a resource based on an identity asserted by another company. • Identity – The identity of an individual is the set of information associated with that individual in a particular computer system.**  Can be extended to system entities, such as computers/service accounts.  The term "principal" is used to refer to system entities/individuals in computer systems. ** S. T. Kent and L. I. Millett, editors, Who Goes There? Authentication Through the Lens of Privacy, The National Academies Press, 2003 * Web Services Federation Language (WS-Federation), Version 1.1, December 2006
  • 4. The problem at hand User Collaboration website https://collaboration.partner.com My company (Realm) Partner company (Realm)
  • 5. The classic approach • Partner company maintains a user database for its application • Each user from our company is assigned an account for partner's application • Typical login: username/password • Many partner websites -> many usernames/passwords • Challenging to maintain these userIDs  User quits the company, internal account closed. What about accounts in all partnering companies' applications?  Challenging to keep track of who has access to what  No central management of Ids • Federated identity to the rescue!
  • 6. WS-Federation • Web Services Federation Language  Contributors: Microsoft, IBM, Novell, Verisign and more.  Industry standard, freely available.  Builds upon WS-Security and WS-Trust. • Defines mechanisms to allow different security realms to federate • Focused on web services • Also includes specification for Web (Passive) Requestors  Enables the WS-Federation protocol to be run through a web browser  Involves real people!  We'll be focusing on the web scenario.
  • 7. The building blocks • Trust - Trust is the characteristic that one entity is willing to rely upon a second entity to execute a set of actions and/or to make set of assertions* about a set of subjects and/or scopes. • Claims based identity • Claim – A claim is a declaration made by an entity (e.g. name, identity, key, group, privilege, capability, etc). • Means to (securely) communicate identity information between realms • Security Token – A security token represents a collection (one or more) of claims. * Claim and assertion are synonyms
  • 8. Important roles • Identity Provider (IP) – An Identity Provider is an entity that acts as an authentication service to end requestors and a data origin authentication service to service providers. • Security Token Service (STS) - A Security Token Service is a Web service that provides issuance and management of security tokens. • Relying Party – A Web application or service that consumes Security Tokens issued by a Security Token Service.
  • 9. Security token • Contains claims about the user  Typical claims: Username, user's name, e-mail address, groups (for authz) • Signed by STS  RP can verify that it was issued by a trusted STS  Tamper-proof • Lifetime (valid from/to) • Intended for a particular RP • Can also be encrypted -> only the intended RP can decrypt it • Can be on different formats, often SAML
  • 12. User My company (Realm) Partner company (Realm) IP STS Relying party Authenticate Relying party Another partner company (Realm)
  • 13. Architectural advantages • Separates authentication logic from application • Enables single-sign-on for a suite of applications  Provides a seamless experience across stand-alone applications • Yields great flexibility when building e.g. an online bank  Different services can be provided through separate applications  Simplifies releases  Makes it easier for multiple teams to work in parallell  Opens the possibility to host different applications in separate environments  E.g. some apps hosted locally, some apps hosted in the cloud  Simplifies integration of third party applications  Facilitates privacy-by-design, carefully selecting claims provided to various applications
  • 14. How we used to do things Authentication Accounts/payment Stocks/fund Debit/credit cards Loans Personal finance Sample online banking application
  • 15. How we can do things now Sample online banking application suite Authentication IP/STS Personal finance Accounts/payment Stocks/fund Debit/credit cards Loans RPs
  • 16. A few challenges • Providing flexibility in common functionality  Handling change to "shared" menus etc. • Care must be taken with regards to session management
  • 17. Building federated identity systems • We need minimum three things, an IP, an STS, and an RP • The RP usually contains the features (customer value). Everyone wants this! • IPs and STSs, you build because you have to (though some of us thinks it's great fun) • Want to spend as much time as possible on building the fun stuff – features. • Authentication as a service?
  • 18. Windows Identity Foundation • Framework for building identity-aware applications • Included in the .NET Framework 4.5  Available as a separate library before .NET 4.5 • Provides APIs for building Relying Parties and STSs  Provides a programming model for working with claims based identity • Provides out-of-the-box functionality for RPs
  • 19. AD FS • Active Directory Federation Services • AD-integrated STS • Included in Windows Server 2008/2012 • Enables federation of AD-identities • Seamless experience for users
  • 20. AD FS User AD FS https://adfs.domain.com/STS AD Collaboration website https://collaboration.partner.com My company Partner company STSSTSIP RP
  • 21. ACS • Windows Azure Active Directory Access Control (aka ACS) • Cloud based service • Facilitates authentication and manages authorization of users • Supports several identity providers  AD FS  Windows Live ID / Google / Yahoo! / Facebook • Windows Identity Foundation integration
  • 22. ACS User Usefulwebsite https ://usefulwebsite .mycompany .com ACS Windows Live ID Google My companyCloud
  • 23. Demo!
  • 24. Thank you! André N. Klingsheim - @klingsen AppSec AS www.dotnetnoob.com

Editor's Notes

  1. Digital Identity – A digital representation of a principal (or group of principals) that is unique to that principal (or group), and that acts as a reference to that principal (or group). For example, an email address MAY be treated as a digital identity, just as a machine’s unique IP address MAY also be treated as a digital identity, or even a generated unique identifier. In the context of this document, the term identity is often used to refer to a digital identity. A principal may have multiple digital identities,
  2. Logger inn på STS