FederatedSecurity - 91-514-201-s2010
Download
Report
Transcript FederatedSecurity - 91-514-201-s2010
Will Darby
91.514
5 April 2010
What
is Federated Security
Security Assertion Markup Language
(SAML) Overview
Example Implementations
Alternative Solutions for the Internet
Business
Agreement
Multi-organization
collaboration
common
Accounts generally
maintained by one
organization
Grant access for
externally
authenticated users
Home
Organization
Authenticate
User
Remote
Organization
Access
Resources
Authentication – Verifying user identity and
permissions
Authorization – Permitting resource access based
on identity or attribute
Identity
Provider (IdP) – Entity performing
authentication
Service
Provider (SP) – Entity allowing
authorized resource access
Role-Based
Access Control – Authorization
based on user attributes rather than identity
Building
block for Federated Security
Public Key Cryptography – Sign and encrypt
data without shared secret
Public/Private
Keys – Complementary tokens
employed by PKI
Digital
Signatures – Enables provable message
authenticity and integrity
Message
Encryption – Enables message
confidentiality over public networks
Separation
of authentication from
authorization
Direct resource access
• No fixed content gateway
Eliminate external account management
• Organizations maintain user accounts and attributes
User identity protection
• Authorization based on user attributes or
pseudonyms
Decouple security implementations
• PKI exchange between organizations
• Internet-scalable solution
First
large-scale Federated Security solution
Secures web sites and web applications
Implements Security Assertion Markup
Language (SAML) standard
Initially developed for research and higher
education
•
•
•
•
Research collaboration
Academic information providers
Outsourced employee applications
Extended user populations
Open
source project
Attributes
assigned to user accounts
Represent group affiliation or user
privilege
• No predefined semantics by Shibboleth
• Semantic agreement among participants
• Federation and two-party arrangements
Bundled
with resource requests
• Authenticated by IdP
• Basis of resource authorization by SP
Source: “Web Single Sign-On Authentication using SAML”
Based
on SAML Web Browser SSO Profile
Standard browser request, e.g. GET
Where-Are-You-From service locates IdP
User browser redirected to IdP
• Automated with JavaScript or manually invoked
IdP
specific identity verification
Digitally signed security assertions
Browser session enables single sign-on
Authorize
users
across all grids nodes
Minimal changes to
existing security
Registry to map
credentials to
authority
Assertions passed
among servers
Source: “An Approach for
Shibboleth and Grid Integration”
Anonymous
agents require user
permissions
Delegation permits privilege assignment
User has right to manage delegation
Delegated entity requests resource on
user behalf
IdP translates user ids across domains
Source: “A Delegation Framework for Federated Identity Management”
Declare
Statements regarding subject
• Method of authentication
• Associated with attributes
• Authorization to access resource
Specifies
issuer (SAML authority)
Conditions for time and audience
Advice assertions supporting evidence
and updates
Encoding defined by XML schema
One
means to exchange SAML assertions
SAML profiles define other options
Queries
• Authentication return authentication details
• Attribute return attributes for subject
• AuthorizationDecision determine resource
operation permission
Responses
• Status of query
• Verified Assertions requested by query
Web Service
Client
Identity Provider
2a. Authenticate
User
2b. Create SAML
Assertion
Service
Provider
5a. Verify
Assertion
5b. Package
Resource
SAML
protocol retrieves assertions
Client requests required assertions
SOAP-based web service
WS-Security encodes SAML assertion
XML
Signature – Digital signatures, e.g. sign
assertions
XML
Encryption – Encrypt payload
WS-Security – SOAP encoding of assertions
WS-Policy – Describes service security policy, e.g.
assertions required
WS-Trust – Alternate protocol to obtain assertions
Open
source Java and C++ SAML
libraries
SAML Assertion and Protocol support
Basis of current Shibboleth
implementation
Version 2 supports SAML v1.0, v1.1 and
v2.0
Developed
for Blogging community
User-centric identity management
• Choice of digital address (id)
• Select identity provider
Discover
IdP from identity URL
Google Account APIs implementation
Source: “OpenID 2.0: A Platform for User-Centric Identity Management”
Delegate
access to protected resources
No use of private credentials by client
Differentiates client from resource owner
Server validates authorization and client
Google Account APIs implementation
Jane
(Resource
Owner)
Adapted from:
“The OAuth 1.0
Protocol”
0a. GetClientCredentials
0b. ClientCredentials
Printer Web Site
(Client)
2. Register callback
3. ok
8. Request token
9. ok
10. Get resource
11. resource
Photos Web Site
(Server)
R.L. Morgan, S. Cantor, S. Carmody, W. Hoehn and K.
Klingenstein. “Federated Security: The Shibboleth
Approach.” EDUCAUSE Quarterly, Volume 27, Number 4,
2004. Pages 12-17. Available at:
http://net.educause.edu/ir/library/pdf/EQM0442.pdf.
K.D. Lewis and J.E. Lewis. “Web Single Sign-On
Authentication using SAML.” International Journal of
Computer Science Issues. Volume 2, 2009. Pages 41-48.
Available at: http://www.ijcsi.org/papers/2-41-48.pdf.
“Security Assertion Markup Language (SAML) V2.0
Technical Overview.” OASIS Security Services Technical
Committee. March, 2008. Available at: http://www.oasisopen.org/committees/download.php/27819/sstc-saml-techoverview-2.0-cd-02.pdf.
H. Gomi, M.Hatakeyama, S.Hosono and S. Fujita. “A
Delegation Framework for Federated Identity Management.”
Proceedings of the 2005 workshop on Digital identity
management. Pages 94-103.
F. Pinto and C. Fernau. “An Approach for Shibboleth and
Grid Integration.” Proceedings of the UK e-Science All
Hands Conference, 2005. Available at:
http://www.allhands.org.uk/2005/proceedings/papers/531.
pdf.
D. Recordon and D. Reed. “OpenID 2.0: A Platform for UserCentric Identity Management.” Proceedings of the second
ACM workshop on Digital Identity Management, 2006. Pages
11-16.
E. Hammer-Lahav. “The OAuth 1.0 Protocol.” IETF Internet
Draft. February, 2010. Available at:
http://tools.ietf.org/html/draft-hammer-oauth-10.