All Rights Reserved | FIDO Alliance | Copyright 20181
INTEGRATING
FIDO AUTHENTICATION
& FEDERATION PROTOCOLS
BEST PRACTICES FOR
ENTERPRISE DEPLOYMENT
AGENDA
• Does FIDO complement Federation?
• What are the benefits in pairing FIDO and Federation?
• How to integrate FIDO with modern Federation protocols?
All Rights Reserved | FIDO Alliance | Copyright 20182
What is FIDO?
Physical-to-digital identity
User Management
AUTHENTICATION
Federation
Single
Sign-On
Passwords SimpleStrong
FIDO Authentication
FIDO is an authentication protocol
FIDO is not a federation protocol
FIDO is not an authorization protocol
FIDO is not an identity standard
All Rights Reserved | FIDO Alliance | Copyright 20183
How does FIDO Work?
RP Application
FIDO Client
USER’S DEVICE
RP Server
FIDO Server
RELYING PARTY
Generic View
Authenticator
Architecture
All Rights Reserved | FIDO Alliance | Copyright 20184
How does FIDO Work?
RP Application
FIDO Client
USER’S DEVICE
RP Server
FIDO Server
RELYING PARTYGeneric View
Authenticator
Registration
Private attestation key
Private
authentication
key
Public
Authentication
key
All Rights Reserved | FIDO Alliance | Copyright 20185
How does FIDO Work?
RP Application
FIDO Client
USER’S DEVICE
RP Server
FIDO Server
RELYING PARTYGeneric View
Authenticator
(Signed) Response
Challenge
Require user gesture
before private key
can be used
Authentication
Private attestation key
Private
authentication
key
Public
Authentication
key
All Rights Reserved | FIDO Alliance | Copyright 20186
FIDO and User Identity
AuthenticatorUser verification FIDO Authentication
Same Authenticator
as registered before?
Same User as enrolled
before?
Identity proofing and binding done
outside FIDO
…
No user attributes
in FIDO server
No user attributes in
the Authenticator
All Rights Reserved | FIDO Alliance | Copyright 20187
RP 1
Authenticator
One Authenticator, Many Applications
Origin 1 Origin 2 Origin 1
Unique authn keys per RP
Isolation of authentication transactions
Account 2Account 1 Account 3 Account m
RP 2 RP n
………
Non-linkability
All Rights Reserved | FIDO Alliance | Copyright 20188
FIDO Benefits to the User
Reduce the burden of
remembering multiple passwords
Use a simple gesture for
authentication
Use one authenticator with
multiple applications
Biometric data is local
No secrets on the server
No linkability between RPs
All Rights Reserved | FIDO Alliance | Copyright 20189
Reduce the burden of using a
variety of two-factor
authentication form factors
Preserve user privacy
What Problems Does Federation Solve?
Without Federation,
Users have to:
Remember multiple passwords
Sign-in multiple times a day
Administrators have to manage:
Authentication policies,
Group permissions and
User accounts
Across multiple domains
Reduced productivity
Increased number help desk calls
Increased administration overhead
Increased security risks
All Rights Reserved | FIDO Alliance | Copyright 201810
How Federation Solves These Problems
All Rights Reserved | FIDO Alliance | Copyright 201811
RP
User
User
Authentication
Authenticated
Session
Identity Information
Three-Party Trust Relationship
IdPRP
RP
RP
Authentication
Statement
Identity
Source
Federation Benefits to End Users
RP
User
AuthenticationSession
Identity Information
Three-Party Trust Relationship
Users remember one password,
sign in once and access multiple
applications
IdPRP
RP
RP
All Rights Reserved | FIDO Alliance | Copyright 201812
Federation Benefits to Relying Parties
IdPRP
User
AuthenticationSession
Identity Information
Three-Party Trust Relationship
IdP
IdP
RPs move user identity to trusted
third-party authentication
authorities
All Rights Reserved | FIDO Alliance | Copyright 201813
Federation Benefits to Identity Providers
IdPRP
User
AuthenticationSingle-Sign On
Identity Information
Three-Party Trust Relationship
RP
RP
IdPs link user identity to multiple RPs
- Reduce security risk and administration overhead
- Enforce strong authentication and enable SSO
- Protect user identity attributes
All Rights Reserved | FIDO Alliance | Copyright 201814
The Downside of Federation
Users hate to use complex passwords for primary
authentication
Organizations have major concerns about password security
Stronger and more convenient authentication methods
are needed
All Rights Reserved | FIDO Alliance | Copyright 201815
FIDO is the Solution
All Rights Reserved | FIDO Alliance | Copyright 201816
How FIDO Deployment Complements
Federation
RP
Authentication
(FIDO-based)
Session
Identity Information
Redirect
IdP
FIDO Server
RP
RP
IdP Server
Browser w/
FIDO Client
Authenticator
All Rights Reserved | FIDO Alliance | Copyright 201817
• Lower cost of ownership
• Lower security risks
• Lower help desk calls
• Increased productivityOne authenticator, one
credential for multiple RPs
No changes to RP
applications
User Environment
Relying Party
(Application or Service Provider)
Identity Provider
(e.g SAML IDP, OpenID Provider)
FIDO Server
User Agent
FIDO
Authenticator
FIDO
Client
1 Initial Sign-in or Step-up access
3. FIDO challenge/response
Federation Protocol
Federated Authentication Flow with FIDO
3. FIDO challenge/response
2. Authentication Request
4. Authentication Response indicating FIDO
All Rights Reserved | FIDO Alliance | Copyright 201818
How to Apply FIDO-based Authentication
Preconfigured IdP Authentication Policy
• Global or per-RP policy set in the IdP
Just-in-Time RP Authentication Policy
• Specified by RP in the authentication request using authn context class reference
• AuthnContextClassRef parameter in SAML
• Acr_values request parameter in OIDC
• IdP returns information indicating that FIDO-based auth was used
• Using AuthnContextClassRef in SAML
• Using acr and amr claims In ID Token in OIDC
All Rights Reserved | FIDO Alliance | Copyright 201819
Use AuthnContextClassRef in SAML for JIT
enforcement
Sa m ple SA ML Reques t
Sa m ple SA ML Res po ns e
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
…
<samlp:RequestedAuthnContext Comparison="exact">
...
<saml:AuthnContextClassRef>urn:rsa:names:tc:SAML:2.0:ac:classes:MediumAssurance</saml:AuthnContextClassRef>
…
</samlp:RequestedAuthnContext>
…
</samlp:AuthnRequest>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ….
<saml:AuthnStatement AuthnInstant="2014-07-17T01:01:48Z" …..
….
<saml:AuthnContextClassRef>urn:rsa:names:tc:SAML:2.0:ac:classes:FIDO</saml:AuthnContextClassRef>
……
</saml:AuthnStatement>
…
</samlp:Response>
All Rights Reserved | FIDO Alliance | Copyright 201820
Use acr_values in OIDC for JIT
enforcement
Sample OIDC Request /Response
EndpointURI: https://tenant.server.example.com/oidc/auth
Http Parameters: {
response_type: id_token,
client_id: rp_client,
response_mode: query,
redirect_uri: https://rp.example.com/oidc-rp/,
scope: openid,
……
acr_values: phr phrh mfa
RedirectURI: https://rp.example.com/oidc-rp/
Http Parameters: {
…….
'id_token' content:
{
"auth_time":1490898779,
"exp":1490899139,
"sub":"someone@example.com",
…….
"iss":" https://tenant.server.example.com/oidc-fe",
"iat":1490898779,
"acr":“phrh",
"amr":[“hwk"]
}
}
ACR policy identifiers that can be satisfied by FIDO Authenticators are defined OpenID Connect (EAP) ACR Values specification
All Rights Reserved | FIDO Alliance | Copyright 201821
Other
Deployment
Options
IdP
Primary Authentication
using non-FIDO method
Session
Identity Information
Secondary/Step-up
Authentication Using FIDO
RP
FIDO Server
RP Server
Browser w/
FIDO Client
Authenticator
All Rights Reserved | FIDO Alliance | Copyright 201822
Other
Deployment
Options
Primary
Authentication
using 1st key
Session
Identity Information
Proof of Possession of
2nd key
IdP
FIDO Server
IdP Server
RP
FIDO Server
RP Server
Based on NIST 800-63-3 requirements for FAL3,
this deployment model can qualify for FAL 3
(provided that other conditions are met)
Browser w/
FIDO Client
Authenticator
All Rights Reserved | FIDO Alliance | Copyright 201823
Benefits of FIDO & Federation Integration
Users continue to enjoy the benefits of Federated SSO,
while FIDO provides a more convenient, more secure and
privacy preserving method of authentication
Organizations offer a streamlined authentication method
without putting user identity attributes at risk
All Rights Reserved | FIDO Alliance | Copyright 201824
While using Federation Authentication, add FIDO support
today and get its benefits
- 200+ Certified FIDO authenticators
- 85+ FIDO certified server implementations
- Some are deployed as part of a Federated authentication solution
For more details on FIDO and Federation integration, read
FIDO Alliance Enterprise Adoption Best Practices white
paper
All Rights Reserved | FIDO Alliance | Copyright 201825

Integrating FIDO Authentication & Federation Protocols

  • 1.
    All Rights Reserved| FIDO Alliance | Copyright 20181 INTEGRATING FIDO AUTHENTICATION & FEDERATION PROTOCOLS BEST PRACTICES FOR ENTERPRISE DEPLOYMENT
  • 2.
    AGENDA • Does FIDOcomplement Federation? • What are the benefits in pairing FIDO and Federation? • How to integrate FIDO with modern Federation protocols? All Rights Reserved | FIDO Alliance | Copyright 20182
  • 3.
    What is FIDO? Physical-to-digitalidentity User Management AUTHENTICATION Federation Single Sign-On Passwords SimpleStrong FIDO Authentication FIDO is an authentication protocol FIDO is not a federation protocol FIDO is not an authorization protocol FIDO is not an identity standard All Rights Reserved | FIDO Alliance | Copyright 20183
  • 4.
    How does FIDOWork? RP Application FIDO Client USER’S DEVICE RP Server FIDO Server RELYING PARTY Generic View Authenticator Architecture All Rights Reserved | FIDO Alliance | Copyright 20184
  • 5.
    How does FIDOWork? RP Application FIDO Client USER’S DEVICE RP Server FIDO Server RELYING PARTYGeneric View Authenticator Registration Private attestation key Private authentication key Public Authentication key All Rights Reserved | FIDO Alliance | Copyright 20185
  • 6.
    How does FIDOWork? RP Application FIDO Client USER’S DEVICE RP Server FIDO Server RELYING PARTYGeneric View Authenticator (Signed) Response Challenge Require user gesture before private key can be used Authentication Private attestation key Private authentication key Public Authentication key All Rights Reserved | FIDO Alliance | Copyright 20186
  • 7.
    FIDO and UserIdentity AuthenticatorUser verification FIDO Authentication Same Authenticator as registered before? Same User as enrolled before? Identity proofing and binding done outside FIDO … No user attributes in FIDO server No user attributes in the Authenticator All Rights Reserved | FIDO Alliance | Copyright 20187
  • 8.
    RP 1 Authenticator One Authenticator,Many Applications Origin 1 Origin 2 Origin 1 Unique authn keys per RP Isolation of authentication transactions Account 2Account 1 Account 3 Account m RP 2 RP n ……… Non-linkability All Rights Reserved | FIDO Alliance | Copyright 20188
  • 9.
    FIDO Benefits tothe User Reduce the burden of remembering multiple passwords Use a simple gesture for authentication Use one authenticator with multiple applications Biometric data is local No secrets on the server No linkability between RPs All Rights Reserved | FIDO Alliance | Copyright 20189 Reduce the burden of using a variety of two-factor authentication form factors Preserve user privacy
  • 10.
    What Problems DoesFederation Solve? Without Federation, Users have to: Remember multiple passwords Sign-in multiple times a day Administrators have to manage: Authentication policies, Group permissions and User accounts Across multiple domains Reduced productivity Increased number help desk calls Increased administration overhead Increased security risks All Rights Reserved | FIDO Alliance | Copyright 201810
  • 11.
    How Federation SolvesThese Problems All Rights Reserved | FIDO Alliance | Copyright 201811 RP User User Authentication Authenticated Session Identity Information Three-Party Trust Relationship IdPRP RP RP Authentication Statement Identity Source
  • 12.
    Federation Benefits toEnd Users RP User AuthenticationSession Identity Information Three-Party Trust Relationship Users remember one password, sign in once and access multiple applications IdPRP RP RP All Rights Reserved | FIDO Alliance | Copyright 201812
  • 13.
    Federation Benefits toRelying Parties IdPRP User AuthenticationSession Identity Information Three-Party Trust Relationship IdP IdP RPs move user identity to trusted third-party authentication authorities All Rights Reserved | FIDO Alliance | Copyright 201813
  • 14.
    Federation Benefits toIdentity Providers IdPRP User AuthenticationSingle-Sign On Identity Information Three-Party Trust Relationship RP RP IdPs link user identity to multiple RPs - Reduce security risk and administration overhead - Enforce strong authentication and enable SSO - Protect user identity attributes All Rights Reserved | FIDO Alliance | Copyright 201814
  • 15.
    The Downside ofFederation Users hate to use complex passwords for primary authentication Organizations have major concerns about password security Stronger and more convenient authentication methods are needed All Rights Reserved | FIDO Alliance | Copyright 201815
  • 16.
    FIDO is theSolution All Rights Reserved | FIDO Alliance | Copyright 201816
  • 17.
    How FIDO DeploymentComplements Federation RP Authentication (FIDO-based) Session Identity Information Redirect IdP FIDO Server RP RP IdP Server Browser w/ FIDO Client Authenticator All Rights Reserved | FIDO Alliance | Copyright 201817 • Lower cost of ownership • Lower security risks • Lower help desk calls • Increased productivityOne authenticator, one credential for multiple RPs No changes to RP applications
  • 18.
    User Environment Relying Party (Applicationor Service Provider) Identity Provider (e.g SAML IDP, OpenID Provider) FIDO Server User Agent FIDO Authenticator FIDO Client 1 Initial Sign-in or Step-up access 3. FIDO challenge/response Federation Protocol Federated Authentication Flow with FIDO 3. FIDO challenge/response 2. Authentication Request 4. Authentication Response indicating FIDO All Rights Reserved | FIDO Alliance | Copyright 201818
  • 19.
    How to ApplyFIDO-based Authentication Preconfigured IdP Authentication Policy • Global or per-RP policy set in the IdP Just-in-Time RP Authentication Policy • Specified by RP in the authentication request using authn context class reference • AuthnContextClassRef parameter in SAML • Acr_values request parameter in OIDC • IdP returns information indicating that FIDO-based auth was used • Using AuthnContextClassRef in SAML • Using acr and amr claims In ID Token in OIDC All Rights Reserved | FIDO Alliance | Copyright 201819
  • 20.
    Use AuthnContextClassRef inSAML for JIT enforcement Sa m ple SA ML Reques t Sa m ple SA ML Res po ns e <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" … <samlp:RequestedAuthnContext Comparison="exact"> ... <saml:AuthnContextClassRef>urn:rsa:names:tc:SAML:2.0:ac:classes:MediumAssurance</saml:AuthnContextClassRef> … </samlp:RequestedAuthnContext> … </samlp:AuthnRequest> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" …. <saml:AuthnStatement AuthnInstant="2014-07-17T01:01:48Z" ….. …. <saml:AuthnContextClassRef>urn:rsa:names:tc:SAML:2.0:ac:classes:FIDO</saml:AuthnContextClassRef> …… </saml:AuthnStatement> … </samlp:Response> All Rights Reserved | FIDO Alliance | Copyright 201820
  • 21.
    Use acr_values inOIDC for JIT enforcement Sample OIDC Request /Response EndpointURI: https://tenant.server.example.com/oidc/auth Http Parameters: { response_type: id_token, client_id: rp_client, response_mode: query, redirect_uri: https://rp.example.com/oidc-rp/, scope: openid, …… acr_values: phr phrh mfa RedirectURI: https://rp.example.com/oidc-rp/ Http Parameters: { ……. 'id_token' content: { "auth_time":1490898779, "exp":1490899139, "sub":"someone@example.com", ……. "iss":" https://tenant.server.example.com/oidc-fe", "iat":1490898779, "acr":“phrh", "amr":[“hwk"] } } ACR policy identifiers that can be satisfied by FIDO Authenticators are defined OpenID Connect (EAP) ACR Values specification All Rights Reserved | FIDO Alliance | Copyright 201821
  • 22.
    Other Deployment Options IdP Primary Authentication using non-FIDOmethod Session Identity Information Secondary/Step-up Authentication Using FIDO RP FIDO Server RP Server Browser w/ FIDO Client Authenticator All Rights Reserved | FIDO Alliance | Copyright 201822
  • 23.
    Other Deployment Options Primary Authentication using 1st key Session IdentityInformation Proof of Possession of 2nd key IdP FIDO Server IdP Server RP FIDO Server RP Server Based on NIST 800-63-3 requirements for FAL3, this deployment model can qualify for FAL 3 (provided that other conditions are met) Browser w/ FIDO Client Authenticator All Rights Reserved | FIDO Alliance | Copyright 201823
  • 24.
    Benefits of FIDO& Federation Integration Users continue to enjoy the benefits of Federated SSO, while FIDO provides a more convenient, more secure and privacy preserving method of authentication Organizations offer a streamlined authentication method without putting user identity attributes at risk All Rights Reserved | FIDO Alliance | Copyright 201824
  • 25.
    While using FederationAuthentication, add FIDO support today and get its benefits - 200+ Certified FIDO authenticators - 85+ FIDO certified server implementations - Some are deployed as part of a Federated authentication solution For more details on FIDO and Federation integration, read FIDO Alliance Enterprise Adoption Best Practices white paper All Rights Reserved | FIDO Alliance | Copyright 201825