SlideShare a Scribd company logo
Federated and
fabulous identity
André N. Klingsheim - @klingsen
AppSec AS
Dataforeningen 18.09.2013
Outline
• Federated Identity
• WS-Federation
• Architectural advantages
• Building federated identity systems
• Demo
Federated identity
• Federation – A federation is a collection of realms that have established a
producer-consumer relationship whereby one realm can provide authorized
access to a resource it manages based on an identity, and possibly associated
attributes, that are asserted in another realm*.
 TL;DR: A company can give access to a resource based on an identity asserted by
another company.
• Identity – The identity of an individual is the set of information associated
with that individual in a particular computer system.**
 Can be extended to system entities, such as computers/service accounts.
 The term "principal" is used to refer to system entities/individuals in computer systems.
** S. T. Kent and L. I. Millett, editors, Who Goes There? Authentication Through the
Lens of Privacy, The National Academies Press, 2003
* Web Services Federation Language (WS-Federation), Version 1.1, December 2006
The problem at hand
User
Collaboration website
https://collaboration.partner.com
My company
(Realm)
Partner company
(Realm)
The classic approach
• Partner company maintains a user database for its application
• Each user from our company is assigned an account for partner's application
• Typical login: username/password
• Many partner websites -> many usernames/passwords
• Challenging to maintain these userIDs
 User quits the company, internal account closed. What about accounts in all
partnering companies' applications?
 Challenging to keep track of who has access to what
 No central management of Ids
• Federated identity to the rescue!
WS-Federation
• Web Services Federation Language
 Contributors: Microsoft, IBM, Novell, Verisign and more.
 Industry standard, freely available.
 Builds upon WS-Security and WS-Trust.
• Defines mechanisms to allow different security realms to federate
• Focused on web services
• Also includes specification for Web (Passive) Requestors
 Enables the WS-Federation protocol to be run through a web browser
 Involves real people!
 We'll be focusing on the web scenario.
The building blocks
• Trust - Trust is the characteristic that one entity is willing to rely upon a
second entity to execute a set of actions and/or to make set of assertions*
about a set of subjects and/or scopes.
• Claims based identity
• Claim – A claim is a declaration made by an entity (e.g. name, identity, key,
group, privilege, capability, etc).
• Means to (securely) communicate identity information between realms
• Security Token – A security token represents a collection (one or more) of
claims.
* Claim and assertion are synonyms
Important roles
• Identity Provider (IP) – An Identity Provider is an entity that acts as an
authentication service to end requestors and a data origin authentication
service to service providers.
• Security Token Service (STS) - A Security Token Service is a Web service
that provides issuance and management of security tokens.
• Relying Party – A Web application or service that consumes Security
Tokens issued by a Security Token Service.
Security token
• Contains claims about the user
 Typical claims: Username, user's name, e-mail address, groups (for authz)
• Signed by STS
 RP can verify that it was issued by a trusted STS
 Tamper-proof
• Lifetime (valid from/to)
• Intended for a particular RP
• Can also be encrypted -> only the intended RP can decrypt it
• Can be on different formats, often SAML
Security token "IRL"
Federation "IRL"
User
Norway USA
IP STS Relying party
User
My company
(Realm)
Partner company
(Realm)
IP STS Relying party
Authenticate
Relying party
Another partner
company (Realm)
Architectural advantages
• Separates authentication logic from application
• Enables single-sign-on for a suite of applications
 Provides a seamless experience across stand-alone applications
• Yields great flexibility when building e.g. an online bank
 Different services can be provided through separate applications
 Simplifies releases
 Makes it easier for multiple teams to work in parallell
 Opens the possibility to host different applications in separate environments
 E.g. some apps hosted locally, some apps hosted in the cloud
 Simplifies integration of third party applications
 Facilitates privacy-by-design, carefully selecting claims provided to various
applications
How we used to do things
Authentication
Accounts/payment
Stocks/fund
Debit/credit cards
Loans
Personal finance
Sample online banking application
How we can do things now
Sample online banking application suite
Authentication
IP/STS Personal finance
Accounts/payment
Stocks/fund
Debit/credit cards
Loans
RPs
A few challenges
• Providing flexibility in common functionality
 Handling change to "shared" menus etc.
• Care must be taken with regards to session management
Building federated identity systems
• We need minimum three things, an IP, an STS, and an RP
• The RP usually contains the features (customer value). Everyone wants this!
• IPs and STSs, you build because you have to (though some of us thinks it's
great fun)
• Want to spend as much time as possible on building the fun stuff – features.
• Authentication as a service?
Windows Identity Foundation
• Framework for building identity-aware applications
• Included in the .NET Framework 4.5
 Available as a separate library before .NET 4.5
• Provides APIs for building Relying Parties and STSs
 Provides a programming model for working with claims based identity
• Provides out-of-the-box functionality for RPs
AD FS
• Active Directory Federation Services
• AD-integrated STS
• Included in Windows Server 2008/2012
• Enables federation of AD-identities
• Seamless experience for users
AD FS
User
AD FS
https://adfs.domain.com/STS
AD
Collaboration website
https://collaboration.partner.com
My company Partner company
STSSTSIP
RP
ACS
• Windows Azure Active Directory Access Control (aka ACS)
• Cloud based service
• Facilitates authentication and manages authorization of users
• Supports several identity providers
 AD FS
 Windows Live ID / Google / Yahoo! / Facebook
• Windows Identity Foundation integration
ACS
User
Usefulwebsite
https ://usefulwebsite .mycompany .com
ACS
Windows
Live ID
Google
My companyCloud
Demo!
Thank you!
André N. Klingsheim - @klingsen
AppSec AS
www.dotnetnoob.com

More Related Content

What's hot

Primend Pilvesminar - Enterprise Cloud Suite
Primend Pilvesminar - Enterprise Cloud SuitePrimend Pilvesminar - Enterprise Cloud Suite
Primend Pilvesminar - Enterprise Cloud Suite
Primend
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using Claims
Volkan Uzun
 
SharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based AuthenticationSharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based Authentication
Jonathan Schultz
 
Devi
DeviDevi
Devi
JAYAARC
 
Pki Digital Id Itmc University Wisconsin
Pki Digital Id Itmc University WisconsinPki Digital Id Itmc University Wisconsin
Pki Digital Id Itmc University Wisconsin
Nicholas Davis
 
Wif and sl4 (en)
Wif and sl4 (en)Wif and sl4 (en)
Wif and sl4 (en)
Nuno Godinho
 
Cram Class - Lesson 1
Cram Class - Lesson 1Cram Class - Lesson 1
Cram Class - Lesson 1
AlexsCloud
 
Essential MDM configurations
Essential MDM configurationsEssential MDM configurations
Essential MDM configurations
Peter Hewer
 
Identity Management
Identity ManagementIdentity Management
Identity Management
Venkatesh Jambulingam
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authentication
MecklerMedia
 
KDAC
KDACKDAC
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
Anil Saldanha
 
20040928-Collaboration-Kosaka.ppt
20040928-Collaboration-Kosaka.ppt20040928-Collaboration-Kosaka.ppt
20040928-Collaboration-Kosaka.ppt
Videoguy
 
Gestión de identidad en Cloud
Gestión de identidad en CloudGestión de identidad en Cloud
Gestión de identidad en Cloud
Ibon Landa
 
SSO - Presentation
SSO - PresentationSSO - Presentation
SSO - Presentation
Christopher Thant
 
It survey
It surveyIt survey
It survey
Laura De Laender
 
Complete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsComplete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIs
Xing (Xingheng) Wang
 
Presentation4 Test
Presentation4 TestPresentation4 Test
Presentation4 Test
Robert Wilson
 
OISC2013_Presentation
OISC2013_PresentationOISC2013_Presentation
OISC2013_Presentation
Austin Nagel
 

What's hot (19)

Primend Pilvesminar - Enterprise Cloud Suite
Primend Pilvesminar - Enterprise Cloud SuitePrimend Pilvesminar - Enterprise Cloud Suite
Primend Pilvesminar - Enterprise Cloud Suite
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using Claims
 
SharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based AuthenticationSharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based Authentication
 
Devi
DeviDevi
Devi
 
Pki Digital Id Itmc University Wisconsin
Pki Digital Id Itmc University WisconsinPki Digital Id Itmc University Wisconsin
Pki Digital Id Itmc University Wisconsin
 
Wif and sl4 (en)
Wif and sl4 (en)Wif and sl4 (en)
Wif and sl4 (en)
 
Cram Class - Lesson 1
Cram Class - Lesson 1Cram Class - Lesson 1
Cram Class - Lesson 1
 
Essential MDM configurations
Essential MDM configurationsEssential MDM configurations
Essential MDM configurations
 
Identity Management
Identity ManagementIdentity Management
Identity Management
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authentication
 
KDAC
KDACKDAC
KDAC
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
20040928-Collaboration-Kosaka.ppt
20040928-Collaboration-Kosaka.ppt20040928-Collaboration-Kosaka.ppt
20040928-Collaboration-Kosaka.ppt
 
Gestión de identidad en Cloud
Gestión de identidad en CloudGestión de identidad en Cloud
Gestión de identidad en Cloud
 
SSO - Presentation
SSO - PresentationSSO - Presentation
SSO - Presentation
 
It survey
It surveyIt survey
It survey
 
Complete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsComplete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIs
 
Presentation4 Test
Presentation4 TestPresentation4 Test
Presentation4 Test
 
OISC2013_Presentation
OISC2013_PresentationOISC2013_Presentation
OISC2013_Presentation
 

Viewers also liked

CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CloudIDSummit
 
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
CA Technologies
 
CIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated IdentityCIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated Identity
CloudIDSummit
 
Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls
Kingsley Uyi Idehen
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in Practice
ForgeRock
 
OpenAM - An Introduction
OpenAM - An IntroductionOpenAM - An Introduction
OpenAM - An Introduction
ForgeRock
 

Viewers also liked (6)

CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
 
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
 
CIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated IdentityCIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated Identity
 
Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in Practice
 
OpenAM - An Introduction
OpenAM - An IntroductionOpenAM - An Introduction
OpenAM - An Introduction
 

Similar to Federated and fabulous identity

NIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraNIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud Era
Morgan Simonsen
 
Web-services
Web-services Web-services
Web-services
webhostingguy
 
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
Oliver Pfaff
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptx
TrongMinhHoang1
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
Brian Culver
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and Identity
FredBrandonAuthorMCP
 
20160304 blockchain in fsi client ready raymond
20160304 blockchain in fsi client ready raymond20160304 blockchain in fsi client ready raymond
20160304 blockchain in fsi client ready raymond
Meng-Ru (Raymond) Tsai
 
Common Data Service – A Business Database!
Common Data Service – A Business Database!Common Data Service – A Business Database!
Common Data Service – A Business Database!
Pedro Azevedo
 
Null talk
Null talkNull talk
Null talk
Agam Jain
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?
rlsoft
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
Paul Trevithick
 
Safenet Authentication Service, SAS
Safenet Authentication Service, SASSafenet Authentication Service, SAS
Safenet Authentication Service, SAS
robbuddingh
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems
Maganathin Veeraragaloo
 
Citrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile EnterpriseCitrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile Enterprise
Digicomp Academy AG
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App Fabric
Spiffy
 
IBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsIBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for Protocols
Sandeep Patil
 

Similar to Federated and fabulous identity (20)

NIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraNIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud Era
 
Web-services
Web-services Web-services
Web-services
 
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptx
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and Identity
 
20160304 blockchain in fsi client ready raymond
20160304 blockchain in fsi client ready raymond20160304 blockchain in fsi client ready raymond
20160304 blockchain in fsi client ready raymond
 
Common Data Service – A Business Database!
Common Data Service – A Business Database!Common Data Service – A Business Database!
Common Data Service – A Business Database!
 
Null talk
Null talkNull talk
Null talk
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
 
Safenet Authentication Service, SAS
Safenet Authentication Service, SASSafenet Authentication Service, SAS
Safenet Authentication Service, SAS
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems
 
Citrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile EnterpriseCitrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile Enterprise
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App Fabric
 
IBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsIBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for Protocols
 

Recently uploaded

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 

Recently uploaded (20)

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 

Federated and fabulous identity

  • 1. Federated and fabulous identity André N. Klingsheim - @klingsen AppSec AS Dataforeningen 18.09.2013
  • 2. Outline • Federated Identity • WS-Federation • Architectural advantages • Building federated identity systems • Demo
  • 3. Federated identity • Federation – A federation is a collection of realms that have established a producer-consumer relationship whereby one realm can provide authorized access to a resource it manages based on an identity, and possibly associated attributes, that are asserted in another realm*.  TL;DR: A company can give access to a resource based on an identity asserted by another company. • Identity – The identity of an individual is the set of information associated with that individual in a particular computer system.**  Can be extended to system entities, such as computers/service accounts.  The term "principal" is used to refer to system entities/individuals in computer systems. ** S. T. Kent and L. I. Millett, editors, Who Goes There? Authentication Through the Lens of Privacy, The National Academies Press, 2003 * Web Services Federation Language (WS-Federation), Version 1.1, December 2006
  • 4. The problem at hand User Collaboration website https://collaboration.partner.com My company (Realm) Partner company (Realm)
  • 5. The classic approach • Partner company maintains a user database for its application • Each user from our company is assigned an account for partner's application • Typical login: username/password • Many partner websites -> many usernames/passwords • Challenging to maintain these userIDs  User quits the company, internal account closed. What about accounts in all partnering companies' applications?  Challenging to keep track of who has access to what  No central management of Ids • Federated identity to the rescue!
  • 6. WS-Federation • Web Services Federation Language  Contributors: Microsoft, IBM, Novell, Verisign and more.  Industry standard, freely available.  Builds upon WS-Security and WS-Trust. • Defines mechanisms to allow different security realms to federate • Focused on web services • Also includes specification for Web (Passive) Requestors  Enables the WS-Federation protocol to be run through a web browser  Involves real people!  We'll be focusing on the web scenario.
  • 7. The building blocks • Trust - Trust is the characteristic that one entity is willing to rely upon a second entity to execute a set of actions and/or to make set of assertions* about a set of subjects and/or scopes. • Claims based identity • Claim – A claim is a declaration made by an entity (e.g. name, identity, key, group, privilege, capability, etc). • Means to (securely) communicate identity information between realms • Security Token – A security token represents a collection (one or more) of claims. * Claim and assertion are synonyms
  • 8. Important roles • Identity Provider (IP) – An Identity Provider is an entity that acts as an authentication service to end requestors and a data origin authentication service to service providers. • Security Token Service (STS) - A Security Token Service is a Web service that provides issuance and management of security tokens. • Relying Party – A Web application or service that consumes Security Tokens issued by a Security Token Service.
  • 9. Security token • Contains claims about the user  Typical claims: Username, user's name, e-mail address, groups (for authz) • Signed by STS  RP can verify that it was issued by a trusted STS  Tamper-proof • Lifetime (valid from/to) • Intended for a particular RP • Can also be encrypted -> only the intended RP can decrypt it • Can be on different formats, often SAML
  • 12. User My company (Realm) Partner company (Realm) IP STS Relying party Authenticate Relying party Another partner company (Realm)
  • 13. Architectural advantages • Separates authentication logic from application • Enables single-sign-on for a suite of applications  Provides a seamless experience across stand-alone applications • Yields great flexibility when building e.g. an online bank  Different services can be provided through separate applications  Simplifies releases  Makes it easier for multiple teams to work in parallell  Opens the possibility to host different applications in separate environments  E.g. some apps hosted locally, some apps hosted in the cloud  Simplifies integration of third party applications  Facilitates privacy-by-design, carefully selecting claims provided to various applications
  • 14. How we used to do things Authentication Accounts/payment Stocks/fund Debit/credit cards Loans Personal finance Sample online banking application
  • 15. How we can do things now Sample online banking application suite Authentication IP/STS Personal finance Accounts/payment Stocks/fund Debit/credit cards Loans RPs
  • 16. A few challenges • Providing flexibility in common functionality  Handling change to "shared" menus etc. • Care must be taken with regards to session management
  • 17. Building federated identity systems • We need minimum three things, an IP, an STS, and an RP • The RP usually contains the features (customer value). Everyone wants this! • IPs and STSs, you build because you have to (though some of us thinks it's great fun) • Want to spend as much time as possible on building the fun stuff – features. • Authentication as a service?
  • 18. Windows Identity Foundation • Framework for building identity-aware applications • Included in the .NET Framework 4.5  Available as a separate library before .NET 4.5 • Provides APIs for building Relying Parties and STSs  Provides a programming model for working with claims based identity • Provides out-of-the-box functionality for RPs
  • 19. AD FS • Active Directory Federation Services • AD-integrated STS • Included in Windows Server 2008/2012 • Enables federation of AD-identities • Seamless experience for users
  • 20. AD FS User AD FS https://adfs.domain.com/STS AD Collaboration website https://collaboration.partner.com My company Partner company STSSTSIP RP
  • 21. ACS • Windows Azure Active Directory Access Control (aka ACS) • Cloud based service • Facilitates authentication and manages authorization of users • Supports several identity providers  AD FS  Windows Live ID / Google / Yahoo! / Facebook • Windows Identity Foundation integration
  • 22. ACS User Usefulwebsite https ://usefulwebsite .mycompany .com ACS Windows Live ID Google My companyCloud
  • 23. Demo!
  • 24. Thank you! André N. Klingsheim - @klingsen AppSec AS www.dotnetnoob.com

Editor's Notes

  1. Digital Identity – A digital representation of a principal (or group of principals) that is unique to that principal (or group), and that acts as a reference to that principal (or group). For example, an email address MAY be treated as a digital identity, just as a machine’s unique IP address MAY also be treated as a digital identity, or even a generated unique identifier. In the context of this document, the term identity is often used to refer to a digital identity. A principal may have multiple digital identities,
  2. Logger inn på STS