Geneva Application Security Forum: Vers une authentification plus forte dans les applications web"
3 likes2,671 views
OpenID and SAML are identity federation protocols that allow single sign-on across multiple services on the internet. The presentation discussed OpenID, SAML, identity federation concepts and how they work. It also covered integrating OpenID, using SuisseID, and strong authentication services from Clavid that support various authentication methods like biometrics, certificates and one-time passwords. The conclusion encouraged enabling internet services to support OpenID or SAML for user-centric identity management and single sign-on capabilities.
Geneva Application Security Forum: Vers une authentification plus forte dans les applications web"
- 1. OpenID & SAML, OpenID & SAML OpenID & SAML, SAML OpenID & Identity Federation, SuisseID Identity Federation, SuisseID Strong Authentication ServiceZukunft StrongSign-On Konzepte mit Single Authentication Service Single-Sign-on Concepts with Future & Geneva Application Security Forum 2010 March 4th 2010 Robert Ott, Master of Science (Honors), CFO Robert Ott Fredi Weideli, Master of Computer Science, CTO clavidOpenID Representative Switzerland - ag, Zug 5180 CFO, Clavid AG, Switzerland -
- 2. Agenda • SECTION 1 OpenID - What is it? How does it work? Integration? • SECTION 2 SAML - What is it? How does it work? • SECTION 3 Identity Federation • SECTION 4 A Word on SuisseID • SECTION 5 Strong Authentication as a Service • SECTION 6 Further Links / Conclusion / Q&A Geneva Application Security Forum 2010, March 4th 2010 Page 2
- 3. SECTION 1 SECTION 1 OpenID > What is it? > How does it work? > How to integrate? Geneva Application Security Forum 2010, March 4th 2010 Page 3
- 4. OpenID - What is it? > Internet SingleSignOn > Free Choice of Identity Provider > Relatively Simple Protocol > No License Fee > User-Centric Identity Management > Independent of Identification Methods > Internet Scalable > Non-Profit Organization Geneva Application Security Forum 2010, March 4th 2010 Page 4
- 5. OpenID - How does it work? User Hans Muster (Domain: www.iid.ch) AUTHENTICATION Identity Provider e.g. clavid.ch hans.muster.iid.ch Identity URL OpenID=hans.muster.iid.ch e.g. hans.muster.iid.ch Enabled Service Geneva Application Security Forum 2010, March 4th 2010 Page 5
- 6. OpenID - How does it work? User Hans Muster 3 4, 4a Identity Provider e.g. clavid.com hans.muster.clavid.com 5 6 1 2 Identity URL Caption https://hans.muster.clavid.com 1. User enters OpenID 2. Discovery 3. Authentication 4. Approval 4a. Change Attributes 5. Send Attributes 6. Validation Enabled Service Geneva Application Security Forum 2010, March 4th 2010 Page 6
- 7. OpenID - How does it work? Step 1: A user decides to use a personalized Internet Service supporting OpenID (e.g. local.ch). The user clicks on „Login using OpenID“ and enters its OpenID (e.g. hans.muster.iid.ch). Step 2: The requested Internet Service converts the OpenID into an URL (http://hans.muster.iid.ch) and requests this URL in order to receive the Identity Provider of the user. Step 2a: In this example, the user has delegated its OpenID to the Identity Provider clavid.ch. Step 3: The Identity Provider provides possible authentication methods for that specific user (in this case “Password”). Having successfully authenticated, the next step (approval) is initiated. Step 4: The user decides on the values of the requested attributes to be provided to the Internet Service. The Identity Provider usually provides user specific Personas (attribute templates) to assist the user in this approval process. Step 4a: At this point, the user may decide to change attribute values and store them on the Identity Provider for future approvals for that specific service. Thus, a user can automate future approvals for specific Internet Services. Step 5, 6: The attribute values are then signed and communicated from the Identity Provider to the Internet Service. The Internet Service validates the signature of the provided attributes and finally accepts the user to be authenticated. Geneva Application Security Forum 2010, March 4th 2010 Page 7
- 8. OpenID - How does it work? Geneva Application Security Forum 2010, March 4th 2010 Page 8
- 9. OpenID - How does it work? Geneva Application Security Forum 2010, March 4th 2010 Page 9
- 10. OpenID - User Centric Identity Management TOMORROW ? FUTURE ? TODAY OpenID Provider Username Username Password Password Username Username Password Password Geneva Application Security Forum 2010, March 4th 2010 Page 10
- 11. OpenID - How to Integrate? Assumptions concerning your current Site • Users sign in with their username and password • There is a form, where new users have to register • Each user is identified by a unique ID in your database • A settings page let users manage their account info Recipe • Extend the database to map the OpenIDs to the user IDs • Extend the registration page with an OpenID input field • Extend the sign in page with an OpenID input field • Extend the settings page to attach and detach openIDs Geneva Application Security Forum 2010, March 4th 2010 Page 11
- 12. OpenID - How to Integrate? Ingredients • A OpenID Consumer Library • The Standard OpenID Logos • An OpenID Provider to test your site with Geneva Application Security Forum 2010, March 4th 2010 Page 12
- 13. OpenID - How to Integrate? OpenID Libraries Language Library C# DotNetOpenId, ExtremeSwank C++ Libopkele Java NetMesh InfoGrid LID, OpenID4Java, joid Perl Net::OpenID, OpenID4Perl Python JanRain Ruby JanRain, Heraldry PHP Jan Rain, Zend Framework OpenID Component, Saeven.net's JanRain Service Utility Class, Taral, Simple Class, sfOpenIDPlugin, CakePHP, EasyOpenID, OpenID For PHP, AuthOpenID Snippet Coldfusion CFKit OpenID, CFOpenID, OpenID CFC Apache 2 mod_auth_openid Geneva Application Security Forum 2010, March 4th 2010 Page 13
- 14. SECTION 2 SECTION 2 SAML >What is it? >How does it work? Geneva Application Security Forum 2010, March 4th 2010 Page 14
- 15. SAML – What is it? SAML (Security Assertion Markup Language): > Defined by the Oasis Group > Well and Academically Designed Specification > Uses XML Syntax > Used for Authentication & Authorization > SAML Assertions > Statements: Authentication, Attribute, Authorization > SAML Protocols > Queries: Authentication, Artifact, Name Identifier Mapping, etc. > SAML Bindings > SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact > SAML Profiles > Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query / Request Profile, Attribute Profile Geneva Application Security Forum 2010, March 4th 2010 Page 15
- 16. SAML – How does it work? User Hans Muster AUTHENTICATION Redirect with Identity Provider <Response> Redirect with e.g. clavid.ch (signed Assertion) <AuthnRequest> Access Resource Enabled Service e.g. Google Apps for Business Geneva Application Security Forum 2010, March 4th 2010 Page 16
- 17. SAML – How does it work? User Hans Muster 3 2 4 Identity Provider e.g. clavid.ch 4 2 1 6 Enabled Service e.g. Google Apps for Business Geneva Application Security Forum 2010, March 4th 2010 Page 17
- 18. SAML – How does it work? Step 1: A user decides to use a personalized Internet Service connected to a SAML based Identity provider (e.g. Google Business Application Calendar). Step 2: The Internet Service recognizes that the user is not logged in yet. A SAML <AuthnRequest> is created and sent via redirect to the Identity Provider. Step 3: The Identity Provider provides possible authentication methods for that specific user (in this case “YubiKey” OTP). Having successfully authenticated, the next step is initiated. Step 4: The Identity Provider creates a SAML <Response> containing the user’s identifier for the specific target application. Then it signs the SAML <Response> and sends it via a Post- Redirect to the Internet Services (e.g. Google Calendar) Step 5: The Internet Service (e.g. Google Apps) verifies the signature of the SAML <Response> and now knows the user’s identifier provided by the Identity Provider. Step 6: The Internet Service can now be used by the user. Geneva Application Security Forum 2010, March 4th 2010 Page 18
- 19. SAML – How does it work? 1) Call Application URL 3) Application Usage 2) Login Geneva Application Security Forum 2010, March 4th 2010 Page 19
- 20. SECTION 3 SECTION 3 Identity Federation Geneva Application Security Forum 2010, March 4th 2010 Page 20
- 21. B2B Identity Federation - The Protocol Problem Company A Intranet Internet Service A Travel Proprietary Token Ticket Shop https Internet Service B OpenID Document Management SAML 1.0 Internet Service C Personal Recruting SAML 2.0 SaaS Applications Geneva Application Security Forum 2010, March 4th 2010 Page 21
- 22. B2B Identity Federation - The Protocol Mess Company A Intranet Internet Service A Proprietary Token OpenID Travel Ticket Shop SAML 1.0 https Internet Service B SAML 2.0 Company B Document Management Intranet Proprietary Token OpenID Internet Service C SAML 1.0 Personal https SAML 2.0 Recruting Company C Proprietary Token SaaS Applications Intranet OpenID SAML 1.0 https SAML 2.0 Geneva Application Security Forum 2010, March 4th 2010 Page 22
- 23. B2B Identity Federation - The Protocol Solution Company A Intranet Internet Service A Travel Ticket Shop https Internet Service B Internet Identity Provider Proprietary Token Company B Proprietary Token Document Identity Mapping Management Intranet OpenID One Time Passw. (OTP) Internet SSO Internet Service C Biometric (AXSioncs) Mobile Phone (SMS) eID (Identity Card) OpenID SAML 1.0 Personal https SSL Certificates Recruting Internet SSO Company C SAML 2.0 SAML 2.0 SaaS Applications https Intranet https Geneva Application Security Forum 2010, March 4th 2010 Page 23
- 24. B2B Identity Federation - The Protocol Solution Company A Company B Intranet Intranet https https Internet Identity Provider Proprietary Token SAML 1.0 Company C Identity Federation Intranet One Time Passw. (OTP) Internet SSO Internet SSO Biometric (AXSioncs) Mobile Phone (SMS) eID (Identity Card) SAML 2.0 https SSL Certificates https https Geneva Application Security Forum 2010, March 4th 2010 Page 24
- 25. SECTION 4 SECTION 4 A Word on SuisseID Geneva Application Security Forum 2010, March 4th 2010 Page 25
- 26. A Word On SuisseID • SuisseID is currently in Early Draft Specification Phase • SuisseID should be available for public in spring 2010 • SuisseID cost will be refunded by the Government in 2010 • SuisseID will most probably be: – A signature certificate – An authentication certificate – All certificates conform to ZertES – Certificates contain a unique SuisseID number – An Identity Provider Services for attribute exchange • Eligible SuisseID certificate service providers will be: – Swiss Post (SwissSign), Swisscom, QuiVadis, Swiss Government Geneva Application Security Forum 2010, March 4th 2010 Page 26
- 27. A Word On SuisseID Geneva Application Security Forum 2010, March 4th 2010 Page 27
- 28. SECTION 5 SECTION 5 Strong Authentication as a Service Geneva Application Security Forum 2010, March 4th 2010 Page 28
- 29. OpenID - International Identity Providers Username/Password Certificates Biometric OTP Geneva Application Security Forum 2010, March 4th 2010 Page 29
- 30. Clavid Portal for Strong Authentication Geneva Application Security Forum 2010, March 4th 2010 Page 30
- 31. Clavid Portal - AXSionics Geneva Application Security Forum 2010, March 4th 2010 Page 31
- 32. Clavid Portal - Yubikey Geneva Application Security Forum 2010, March 4th 2010 Page 32
- 33. Clavid Portal - Certificates Geneva Application Security Forum 2010, March 4th 2010 Page 33
- 34. Clavid Portal - One Time Password OTP Methods: • OATH HOTP (RFC4226) • Challenge/Response (RFC2289) • Mobile OTP (OpenSource Project) • SMS • ... others ... Geneva Application Security Forum 2010, March 4th 2010 Page 34
- 35. Clavid Portal - Personas Geneva Application Security Forum 2010, March 4th 2010 Page 35
- 36. Clavid Portal - Login Settings Geneva Application Security Forum 2010, March 4th 2010 Page 36
- 37. Clavid Login Dialog Geneva Application Security Forum 2010, March 4th 2010 Page 37
- 38. SECTION 6 SECTION 6 Conclusion >Further References >Questions & Answers >Contact Information Geneva Application Security Forum 2010, March 4th 2010 Page 38
- 39. Further Links: on OpenID OpenID Identity Providers can be found at: > http://en.wikipedia.org/wiki/OpenID > http://en.wikipedia.org/wiki/List_of_OpenID_providers > http://www.openiddirectory.com/openid-providers-c-1.html > http://www.clavid.com/ (Strong Authentication in Europe) Geneva Application Security Forum 2010, March 4th 2010 Page 39
- 40. Conclusion > OpenID: An open, well documented specification allowing Internet Single Sign-On (SSO) for individual “Public Services” (B2C) > SAML: Trust based Internet and Intranet Single Sign-On for Business Services (B2B) > Professional Identity Providers already in place > User Centric Identity Management already integrated > Join OpenID Switzerland in order to increase the OpenID momentum > Enable your Internet Services to support OpenID or SAML !!! Geneva Application Security Forum 2010, March 4th 2010 Page 40
- 41. Demo > SAML-Login to Google Business Apps using AXSionics Fingerprint > SAML-Login to Salesforce.com using YubiKey OTP > OpenID login to local.ch using Swiss PostZertifikat > Online Identity Administration (Clavid Portal) Geneva Application Security Forum 2010, March 4th 2010 Page 41
- 42. Questions & Answers Geneva Application Security Forum 2010, March 4th 2010 Page 42
- 43. Contact Information Geneva Application Security Forum 2010, March 4th 2010 Page 43