OpenID and identity management in consumer services on the Internet
|
|
- Agatha Blair
- 8 years ago
- Views:
Transcription
1 OpenID and identity management in consumer services on the Internet Kari Helenius Helsinki University of Technology Abstract With new services emerging on the Internet daily, users need to manage and remember more and more username/password pairs which are needed to authenticate to those services. The Single Sign-On (SSO) concept is taking the step from enterprise world towards free Internet to ease the authentication and identity management of the users. One strong candidate for this purpose seems to be OpenID. This paper discusses OpenID standard and how enterprise style SSO concept can be copied to open Internet where several identity providers are working and managing their own users and identities. It also discusses about extendability and suitability of OpenID, issues it may raise and if it can meet the future requirements and is it sufficient in general to act as a SSO protocol for Internet. KEYWORDS: OpenID, SSO, Identity management 1 Introduction In a past few years the Internet has taken a big leap from static web pages to dynamic and rich web applications where users can create, manage and share their own content and consume, discuss and share further the content created by other users. Services like YouTube, MySpace and Facebook are more or less familiar to everyone, and of course there is Google which is releasing new services out all the time. This huge number of services has created a problem, namely active Internet users are forced to remember many username/password pairs for these different services. In order to improve user experience these service providers have come together to specify methods to allow users to share their identity among different services in secure manner without the risk of revealing the actual password or any confidental information to other services. In enterpise environments, these issues have been solved by SSO system usually provided by a commercial vendor, and by integrating all services inside enterprise to use this system. On the Internet an open source standard called OpenID has adopted main features of SSO and it is getting more and more popular with big service providers standing behind it. Can the SSO paradigm really be used in the Internet environment where no centralized identity management exists? How well will the simplified OpenID protocol work in such environment and can it meet future challenges? Identity federation, a concept implemented by SSO, means sharing user identity, data and other user specific attributes across multiple services. In order to avoid leaking private data to non-authorized parties, a trust relationship between applications or between user and application is required. In this paper we take a look how these attributes are shared and how this relationship is created to ensure that private data is passed only to authorized parties. 2 Identity management In modern Internet an identity is required to perform various tasks. Whether it is writing a comment to a blog or paying bills using bank, customer needs to somehow identify himself for the service. Identity in its simplest form means some sort of unique identifier which can be used to distinguish a person. Relationship between person and identities is either one-to-one or one-to-many meaning that identity points always to one person, but it is possible that this person has several identities. In order to identify someone, his claimed identity must be authenticated by some party. Easiest method of authentication is to perform it against the party who is claiming the identity. That however would not be very trustworthy because everyone can claim that their identity is whatever they want and also agree that being true. A real world example is that everyone could print their own passports. So, in order to authenticate claimed identities a trusted party is required.[5] Different kind of identification methods are available and they vary depending how strong security is required. Identification is needed to guarantee that the user really owns the claimed identity. For example passport contains a photo of the owner so even if someone manages to steal that document he probably can not use it. With computers the most typical identification is some sort of shared secret - password. By entering his secret, user proves to service that he is who he claims to be. Password is a compromise between security and usability. It is not considered strong because it can stolen, guessed or broken too easily, but from user point of view it is easy to use and thus suitable for most of the services. Because not being strong enough, simple passwords are not used in critical services like in banks. Usually those use passwords combined with some other method like for example one time password list. Pieces of extra information that is related to identity are called attributes. If passport is used to verify an identity of a person, his name and date of birth obtained from that identity are considered as attributes. Just like with identity, these attributes must be authenticated aswell in order to be consider as trusted. If identity is authenticated by trusted party, like with passport that is issued by government authoritires, the related attributes are usually as well. However,
2 it is also possible that authenticated identity can contain nonauthenticated attributes - this is especially case with OpenID, as we introduce later in this paper. 3 Single Sign-On (SSO) Amount of web applications is growing rapidly. New services are released on the Internet all the time and more and more applications inside corporations are used with regular web browser instead of being separate desktop applications. Running the applications centrally at the server reduces administrative and maintenance costs dramatically, because only one instance of application needs to maintained. Usually each of these applications require users to authenticate into them separately forcing people to remember separate credentials to each application. Each application also contains separate user database and account management logic. In a corporate network there can be easily tens of different applications containing redundant information about user accounts and their permissions. In order to reduce costs that are required to maintain the user information and also to ease the usage of these applications, the SSO concept was brought to enterprise environments. This concept has been around for couple of decades - at first implemented using proprietary solutions [10], but during the last few years Security Assesrtion Markup Language (SAML) maintained by OASIS has become the standard protocol [5]. SAML is a XML based framework designed to pass identity information between different parties in a secure manner. It has been designed as a flexible and extendable framework based on XML messages. It is not tied to any specific protocol or environment. Using SAML in web environment where some of the messages are passed between parties using browser as a intermediary is just one use-case for it. SSO stands for Single Sign-On and in its simplest form means a way where user can access several applications using centrally managed account information and performing authentication only once. Typical SSO environment consists of services that users are accessing, called service providers (SP), and identity provider (IdP). When SP needs to authenticate user, it delegates this task to IdP that performs the actual auhentication of the user - usually using username/password pair but stronger authentication like some biometric solution is of course possible. After IdP has authenticated user, it provides this information back to SP which can then proceed and offer the services to the user. Along with user identifier, IdP can also provide or SP can query different attributes for the specific identity. Typically these attributes are information about the user (full name, , phone number) or information about different roles (normal user, administrator). Based on these attributes SP can perform the actual authorization process and restrict or allow the access to certain features and information in the service. In enterprise environment links between SPs and IdP are usually static. IdP that SP should use to authenticate users is preconfigured in it. This kind of relationship is called circle of trust (CoT). Mutual authentication is used inside CoT between parties to assure that only trusted SPs are authenticating users through IdP and that only trusted IdP provides information about the user. Because of CoT, all the information provided by IdP can be considered trusted. Because CoT allows IdP to recognize which SP is requesting attributes, it is possible to limit privacy of certain attributes. Enterprise might want to integrate some 3rd party SP as a part of their CoT allowing users to access this SP using their existing user accounts. In such case company might limit the accessible attributes for that service to only necessary ones. Even though user accounts are stored in IdP, it is very often necessary to store some of the user attributes locally in SP. Usually this kind of values are needed in internal queries in SP and requesting them every time from IdP would cause severe decrease in performance. Attribute propagation is used to synchronize the parameters between IdP and SP. When attributes are modfied in IdP, a special message with new values is sent to SP so it can update its existing values with new ones. Single Log-Out (SLO) is used in SSO environment to log out user from all SPs when he logs out from IdP [5]. In web environment this is performed by redirecting user sequentially to all necessary SPs and passing SAML logout message with it. Usage of SLO guarantees that when user wants to log out, he is also logged out from all SPs leaving no unwanted sessions open between SP and browser. 4 Identity Management with OpenID OpenId was originally developed by Brad Fitzpatrick in 2005 to avoid comment spamming to LiveJournal online articles. Original idea was that when someone wanted to leave a comment, he would enter URL to his blog supporting OpenID and LiveJournal would perform a verification procedure to make sure that person writing the comment is also owner of the given blog[5]. The higher architecture in OpenID is similar to SSO, but used terminology is a bit different. The actual service that user wants to use is called relaying party (RP) instead of SP. It relies to information offered by identity provider. Party that provides the actual authentication of identity is called OpenID provider (OP) instead of IdP. Unlike SAML, OpenID has been designed with lightness and easy implementation in mind. Whereas SAML consist of several different specifications and extensions, OpenID specification is only couple of pages. It is also designed to be used only in the web environment. The protocol itself relays to features offered by HTTP protocol, for example response status codes and request types (GET, POST). Original idea behind OpenID was to use URL of blog as an identifier. This feature is still one of the main pillars of OpenID. All identifiers in OpenID are URLs (the specification supports XRIs as well) that guarantees that each identifier is also unique and because OPs are only able to manage URLs which belong to their domain, it s not possible to cause identifier conflicts beteween providers. OpenId authentication consists of several steps [8] that are shown in Fig. 1
3 User RP OpenID URL OP 1. Enter OpenID 2. Discovery 3. Associate 4. Redirect to OP 5. Authenticate 6. Redirect to RP 7. Verify Figure 1: OpenID authentication steps 1. A user wants to login to RP and enters his OpenID identifier. 2. Using the entered identifier RP performs discovery operation where it lookups for necessary parameters to start the actual authentication process. OpenID supports different methods for discovery, so identifier owner can choose a method that suites best for him. After discovery process RP should known the OP endpoint URL. If this parameter is not obtained, authentication process cannot continue. 3. RP uses OP endpoint URL to form association between the two parties. This association contains a shared secret between RP and OP and is used to sign subsequent messages in this specific authentication process. 4. RP redirects user to OP endpoint. 5. OP checks whether the user is already authenticated or not and shows the login screen if necessary. 6. After successful authentication, the user is redirected back to RP. 7. RP verifies parameters received from OP using the shared secret. RP also verifies that authenticated identifier matches the one that user claimed. Obviously OP is able to authenticate only identifier which belongs to its domain. After verification RP can consider user as authenticated and perform the local authorization process if necessary. After identity is authenticated, it is possible for RP to request attributes for identity from IdP. OpenID contains an extendable Attribute Exchange protocol[7] for this purpose. Protocol is quite simple and basically it allows RP to request values for different attribute names, for example age, full name, gender and . Actual specification defines only the protocol that should be used when requesting these attributes - it does not mention anything about the attribute names that are supported or should be used. A community based project ( has started to collect unofficial list of common attribute names and it seems to be currently the standard that different parties are recommended to use. Attribute exchange protocol takes account the privacy of attributes. Before OP passes attributes to RP, it checks from the user if he wants to reveal this information for the specific RP. Users choice can be stored to OP so the permission will not be asked next time the user authenticates to the same RP. OpenID also provides possibility to move from one IdP to another and still retain the original OpenID identifier. If user is in control of his own OpenID identity, he can delegate the actual authentication task to IdP of his choice. This is possible if the user is either able to modify the content of OpenId URL or if identity belongs to a provider that already supports authentication delegation (like myopenid.net). Transfer to authenticating IdP is performed during provider discovery. If RP finds certain HTTP meta-data information from OpenID URL during discovery, it will use this information as a OP Endpoint URL and as a OP-Local Identifier.
4 Rest of the process will be performed against this newly discovered endpoint using the local identifier, but when returning to RP, the claimed identifier will be the original one that user entered[8]. If user is interested about changing his IdP and still keep his original OpenID identity, the initial OpenID identifier must be chosen with care. Big providers like AOL, Google or Yahoo do not allow their identifiers to be authenticated by other providers. However it is possible to use identifier i.e. from myopenid.net and delegate the authentication to any other provider that the user wants to use. 5 SSO with multiple IdPs using OpenID Environment with multiple autonomous identity providers differs quite vastly from typical enterprise SSO scenario where identities are controlled by one main system. This section will discuss what are the differences between these two setups, how multiple providers can work together and what kind of issues it causes. If there are several IdPs and everyone can start their own, does this not cause possibility for identity conflict where multiple IdPs contain a user with same identifier? In identity management in general this is avoided by defining some context where identity is unique. This context is usually limited to one IdP, the actual global identity can be formed using context specific identity and namespace of the IdP. OpenID solves this problem cleverly because each identity is also a URL that clearly denotes the domain. Biggest difference between OpenID and federated SSO is that former one is missing the central concept of the latter one - circle of trust. Like previously mentioned, there is usually a trust relationship between SP and IdP. In OpenID this relationship, however, is obviously missing. Everyone can become a service provider and everyone can start acting as a identity provider. Lack of CoT in OpenID moves the trust from application level to social level[2]. To trust another person, a user must somehow verify that the person really is who he claims to be. This could be accomplished for example by contacting person with or by some other means and verifying his OpenID identifier. In enterprise SSO the person with name Kari Helenius can be trusted to being Kari Helenius in given context because this information is obtained from IdP that is trusted in the enterprise. When there is no trust between RP and IdP, all attributes received from IdP should be considered as unqualified. The only information that can be handled as trusted is the identity. Attribute exhange protocol allows to query for the address of the user. If IdP is for example Google, service can assume that the user is really the owner of the address and the address can be taken to use directly without authorizing it. That kind of assumptions, however, require creating blacklists and whitelists for certain OPs (trust attribute X if it is coming from OP in list Y) that form one-way federation and is against openess of OpenID. The main problem with current status of OpenID is that even though large providers such as Google, Microsoft, Yahoo and AOL are releasing their support for OpenID, they are only acting as OpenID providers[3]. None of them is interested to act as a relaying party because that would force them to relay to arbitrary OPs and they could not guarantee that access to their system is secured in sufficient way and availability of their service would be dependant from 3rd party. If user had chosen OP poorly, he might not be able to access his mails, because the identity provider is down temporarily or even might have closed completely[3]. 6 Evaluation and discussion From security perspective, major problem in OpenID seems to be its vulnerability for phishing[4][9]. When a user is lured to a malicious RP and he has entered his OpenID identifier, the RP - instead of redirecting to the actual OP endpoint - fetches the page at the OP endpoint and shows it to the user. When the user fills username and password fields, the RP can steal those. Marco Slot in [9] even presents a level 3 phishing attack where malicious RP simply asks for OpenID identifier and password. User who is familiar with OpenID concept notices such phishing attempt, but average user with less knowledge about the actual technology probably just fills the fields. This kind of phishing attacks are, however, more related to how the user can verify when he is at the OP pages and can securely enter his credentials. It is related to OpenID because the OpenID concept opens these new phishing possibilities. Content sharing on the Internet has gained lots of popularity in the last few years. Half of the top 10 sites in the world are related to personal content sharing[1]. Even though these sites would support OpenID, they would present another problem when users still need manage redundant copies of their social networks. A technology called Lockr[1] has been proposed to solve this issue. Lockr consists of one central LockrCenter application which stores social access control list (ACL). ACL contains public keys of allowed parties and type of relationships that are used to map the users to the protected content. A user accessing the content is required to prove his identity by using his private key. By replacing the asymmetric key security with the OpenID authentication, this solution allows centralized access right management with OpenID identities. Missing support for Single Log-Out (SLO) is also a security vulnerability in OpenID. Because there is no possibility to centrally control lifetime of user sessions, it is possible that user logs out or his session expires at OP, but still remains open at RPs. This could be an issue in environment where same PC is shared with multiple people, like in a library. If user logs out only from his OP and accidentally leaves the browser window open, the next person coming to that PC would be able to use his account at the RPs where the user still remains logged in. [6] Most of the applications require more information about the user than just an identifier. This information can be collected either from attributes that are received during authentication or by letting user input the values. Storing these values locally causes duplication of the information and forces users to maintain them manually. Current version of OpenID lacks possibility to propagate attribute modifications to RPs
5 which in turn causes data to get unsynchronized when user modifies it at OP. 7 Conclusions Having a common SSO method on the Internet is a huge relief for both service developers and users who are accessing these services. Currently each application must contain logic for user authentication, registration, account management and password recovery. If these actions can be delegated to some external party, it has significant effect in administrative and development costs and also generally improves the security of the service. Users benefit from the fact that they have to remember only one username/password pair that grants them access to all the services they want to use.[10] OpenID has gained lots of popularity and with popular service providers starting to support it, it seems to be coming even more popular. Its strength being open has also become its weakness. None of the large service providers are interested to act as RP if they must relay to every OP. This might lead to a federated login support where certain RPs only trust to a limited number of OPs. OpenID does not remove the fact that users are still forced to manage duplicate information in multiple services. Protocol itself guarantees to provide only the identity - all the attributes are optional and unqualified as well. If service requires any extra information about the user, it must collect that from user, validate it, if necessary, and store it locally. Protocol s vulnerability for phishing is also an issue that should be solved. Educated Internet users have probably enough knowledge to avoid it, but that does not apply to the average users. When a user is using only one account to access all services, consequences will be much worse if credentials for this account are stolen. [6] H.-K. Oh and S.-H. Jin. The security limitations of sso in openid. Advanced Communication Technology, ICACT 2008., 3: , [7] OpenID. Attribute exchange protocol specification, 1.0 edition. openid-attribute-exchange-1_0.html. [8] OpenID. OpenID specifications, 2.0 edition. http: //openid.net/developers/specs/. [9] M. Slot. Beginners guide to openid phishing. http: //marcoslot.net/apps/openid/. [10] A. Volchkov. Revisiting single sign-on: A pragmatic approach in a new context. IT Professional, 3:39 45, References [1] Amin Tootoonchian, Kiran K. Gollu, Stefan Saroiu, Yashar Ganjali and Alec Wolman. Lockr: Social access control for web 2.0. In WOSN 2008, August [2] F. Culloch. Openid and saml. Technical report, Terena EuroCAMP Stockholm, May org/activities/eurocamp/may08/ slides/ culloch-openid.pdf. [3] G. Goth. Single sign-on and social networks. IEEE distributed Systems Online, 9, [4] K. C. HwanJin Lee, InKyung Jeun and J. Song. A new anti-phishing method in openid. In The Second International Conference on Emerging Security Information, Systems and Technologies, [5] E. Maler and D. Reed. The venn of identity: Options and issues in federated identity management. Security and Privacy, IEEE, 6:16 23, 2008.
Lecture Notes for Advanced Web Security 2015
Lecture Notes for Advanced Web Security 2015 Part 6 Web Based Single Sign-On and Access Control Martin Hell 1 Introduction Letting users use information from one website on another website can in many
More informationShibboleth Development and Support Services. OpenID and SAML. Fiona Culloch, EDINA. EuroCAMP, Stockholm, 7 May 2008
OpenID and SAML Fiona Culloch, EDINA EuroCAMP, Stockholm, 7 May 2008 What is OpenID for? In principle, an OpenID is a universal username, valid across multiple, unrelated services E.g., I have fculloch.protectnetwork.org
More informationComputer Systems Security 2013/2014. Single Sign-On. Bruno Maia ei09095@fe.up.pt. Pedro Borges ei09063@fe.up.pt
Computer Systems Security 2013/2014 Single Sign-On Bruno Maia ei09095@fe.up.pt Pedro Borges ei09063@fe.up.pt December 13, 2013 Contents 1 Introduction 2 2 Explanation of SSO systems 2 2.1 OpenID.................................
More informationAn Anti-Phishing mechanism for Single Sign-On based on QR-Code
An Anti-Phishing mechanism for Single Sign-On based on QR-Code Syamantak Mukhopadhyay School of Electronics and Computer Science University of Southampton Southampton, UK sm19g10@ecs.soton.ac.uk David
More informationLogout in Single Sign-on Systems
Logout in Single Sign-on Systems Sanna Suoranta, Asko Tontti, Joonas Ruuskanen, Tuomas Aura IFIP IDMAN, London, UK, 8-9.4.2013 Logout in Single Sign-on Systems Motivation Single sign-on (SSO) systems SSO
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationHP Software as a Service. Federated SSO Guide
HP Software as a Service Federated SSO Guide Document Release Date: July 2014 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying
More informationThe Top 5 Federated Single Sign-On Scenarios
The Top 5 Federated Single Sign-On Scenarios Table of Contents Executive Summary... 1 The Solution: Standards-Based Federation... 2 Service Provider Initiated SSO...3 Identity Provider Initiated SSO...3
More informationQR-SSO : Towards a QR-Code based Single Sign-On system
QR-SSO : Towards a QR-Code based Single Sign-On system Syamantak Mukhopadhyay School of Electronics and Computer Science University of Southampton Southampton, UK sm19g10@ecs.soton.ac.uk David Argles School
More informationUsing SAML for Single Sign-On in the SOA Software Platform
Using SAML for Single Sign-On in the SOA Software Platform SOA Software Community Manager: Using SAML on the Platform 1 Policy Manager / Community Manager Using SAML for Single Sign-On in the SOA Software
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationIT@Intel. Improving Security and Productivity through Federation and Single Sign-on
White Paper Intel Information Technology Computer Manufacturing Security Improving Security and Productivity through Federation and Single Sign-on Intel IT has developed a strategy and process for providing
More informationIntroduction to SAML
Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments
More informationMid-Project Report August 14 th, 2012. Nils Dussart 0961540
Mid-Project Report August 14 th, 2012 Nils Dussart 0961540 CONTENTS Project Proposal... 3 Project title... 3 Faculty Advisor... 3 Project Scope and Individual Student Learning Goals... 3 Proposed Product
More informationFederated Identity Management Solutions
Federated Identity Management Solutions Jyri Kallela Helsinki University of Technology jkallela@cc.hut.fi Abstract Federated identity management allows users to access multiple services based on a single
More informationAddressing threats to real-world identity management systems
Addressing threats to real-world identity management systems Wanpeng Li and Chris J Mitchell Information Security Group Royal Holloway, University of London Agenda Single sign-on and identity management
More information2015-11-30. Web Based Single Sign-On and Access Control
0--0 Web Based Single Sign-On and Access Control Different username and password for each website Typically, passwords will be reused will be weak will be written down Many websites to attack when looking
More informationThe increasing popularity of mobile devices is rapidly changing how and where we
Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to
More informationEnhancing Web Application Security
Enhancing Web Application Security Using Another Authentication Factor Karen Lu and Asad Ali Gemalto, Inc. Technology & Innovations Austin, TX, USA Overview Introduction Current Statet Smart Cards Two-Factor
More informationThis chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:
CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access
More informationImplementation Guide SAP NetWeaver Identity Management Identity Provider
Implementation Guide SAP NetWeaver Identity Management Identity Provider Target Audience Technology Consultants System Administrators PUBLIC Document version: 1.10 2011-07-18 Document History CAUTION Before
More informationFlexible Identity Federation
Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationCloud Computing. Chapter 5 Identity as a Service (IDaaS)
Cloud Computing Chapter 5 Identity as a Service (IDaaS) Learning Objectives Describe challenges related to ID management. Describe and discuss single sign-on (SSO) capabilities. List the advantages of
More informationHP Software as a Service
HP Software as a Service Software Version: 6.1 Federated SSO Document Release Date: August 2013 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty
More informationNew Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation
New Single Sign-on Options for IBM Lotus Notes & Domino 2012 IBM Corporation IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole
More informationIdentity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect
Identity Federation: Bridging the Identity Gap Michael Koyfman, Senior Global Security Solutions Architect The Need for Federation 5 key patterns that drive Federation evolution - Mary E. Ruddy, Gartner
More informationCA Nimsoft Service Desk
CA Nimsoft Service Desk Single Sign-On Configuration Guide 6.2.6 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationFinal Project Report December 9, 2012. Cloud-based Authentication with Native Client Server Applications. Nils Dussart 0961540
Final Project Report December 9, 2012 Cloud-based Authentication with Native Client Server Applications. Nils Dussart 0961540 CONTENTS Project Proposal... 4 Project title... 4 Faculty Advisor... 4 Introduction...
More informationBrian Spector CEO, CertiVox. CloudAuthZ
Brian Spector CEO, CertiVox CloudAuthZ Removes username and password databases Two-Factor Authentication No single point of failure Simplified and improved UX Pricing that scales for the cloud What is
More informationINTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server
INTEGRATION GUIDE DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document
More informationOPENID AUTHENTICATION SECURITY
OPENID AUTHENTICATION SECURITY Erik Lagercrantz and Patrik Sternudd Uppsala, May 17 2009 1 ABSTRACT This documents gives an introduction to OpenID, which is a system for centralised online authentication.
More informationAddressing threats to real-world identity management systems
Addressing threats to real-world identity management systems Wanpeng Li and Chris J Mitchell Information Security Group Royal Holloway, University of London Agenda Single sign-on and identity management
More informationUSING FEDERATED AUTHENTICATION WITH M-FILES
M-FILES CORPORATION USING FEDERATED AUTHENTICATION WITH M-FILES VERSION 1.0 Abstract This article provides an overview of federated identity management and an introduction on using federated authentication
More informationInformation Security Group Active-client based identity management
Active-client based identity management Chris Mitchell Royal Holloway, University of London www.chrismitchell.net 1 Acknowledgements This is joint work with Haitham Al-Sinani, also of Royal Holloway. 2
More informationEvaluation of different Open Source Identity management Systems
Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems
More informationGENERAL OVERVIEW OF VARIOUS SSO SYSTEMS: ACTIVE DIRECTORY, GOOGLE & FACEBOOK
Antti Pyykkö, Mikko Malinen, Oskari Miettinen GENERAL OVERVIEW OF VARIOUS SSO SYSTEMS: ACTIVE DIRECTORY, GOOGLE & FACEBOOK TJTSE54 Assignment 29.4.2008 Jyväskylä University Department of Computer Science
More informationOpenLogin: PTA, SAML, and OAuth/OpenID
OpenLogin: PTA, SAML, and OAuth/OpenID Ernie Turner Chris Fellows RightNow Technologies, Inc. Why should you care about these features? Why should you care about these features? Because users hate creating
More informationAuthentication and Single Sign On
Contents 1. Introduction 2. Fronter Authentication 2.1 Passwords in Fronter 2.2 Secure Sockets Layer 2.3 Fronter remote authentication 3. External authentication through remote LDAP 3.1 Regular LDAP authentication
More informationSingle Sign-On for the Internet: A Security Story. Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com
Single Sign-On for the Internet: A Security Story Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com BlackHat USA, Las Vegas 2007 Introduction With the explosion of Web 2.0 technology,
More informationAllidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM Training. @aidy_idm facebook/allidm
Discovering IAM Solutions Leading the IAM Training @aidy_idm facebook/allidm SSO Introduction Disclaimer and Acknowledgments The contents here are created as a own personal endeavor and thus does not reflect
More informationLogout Support on SP and Application
Logout Support on SP and application Logout Support on SP and Application Possibilities and and Limitations SWITCHaai Team aai@switch.ch Single Logout: Is it possible? Single Logout will work only in some
More informationIdentity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE
Identity Management in Liferay Overview and Best Practices Liferay Portal 6.0 EE Table of Contents Introduction... 1 IDENTITY MANAGEMENT HYGIENE... 1 Where Liferay Fits In... 2 How Liferay Authentication
More informationFederation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015
Federation At Fermilab Al Lilianstrom National Laboratories Information Technology Summit May 2015 About Fermilab Since 1967, Fermilab has worked to answer fundamental questions and enhance our understanding
More informationEnabling SAML for Dynamic Identity Federation Management
Enabling SAML for Dynamic Identity Federation Management Patricia Arias, Florina Almenárez, Andrés Marín and Daniel Díaz-Sánchez University Carlos III of Madrid http://pervasive.gast.it.uc3m.es/ WMNC 2009
More informationSAP Cloud Identity Service Document Version: 1.0 2014-09-01. SAP Cloud Identity Service
Document Version: 1.0 2014-09-01 Content 1....4 1.1 Release s....4 1.2 Product Overview....8 Product Details.... 9 Supported Browser Versions....10 Supported Languages....12 1.3 Getting Started....13 1.4
More informationOIOSAML Rich Client to Browser Scenario Version 1.0
> OIOSAML Rich Client to Browser Scenario Version 1.0 Danish Agency for Digitization December 2011 Contents > 1 Introduction 4 1.1 Purpose 1.2 Background 4 4 2 Goals and Assumptions 5 3 Scenario Details
More informationCopyright: WhosOnLocation Limited
How SSO Works in WhosOnLocation About Single Sign-on By default, your administrators and users are authenticated and logged in using WhosOnLocation s user authentication. You can however bypass this and
More informationThe Devil is Phishing: Rethinking Web Single Sign On Systems Security. Chuan Yue USENIX Workshop on Large Scale Exploits
The Devil is Phishing: Rethinking Web Single Sign On Systems Security Chuan Yue USENIX Workshop on Large Scale Exploits and Emergent Threats (LEET 2013) Web Single Sign On (SSO) systems Sign in multiple
More informationSymplified I: Windows User Identity. Matthew McNew and Lex Hubbard
Symplified I: Windows User Identity Matthew McNew and Lex Hubbard Table of Contents Abstract 1 Introduction to the Project 2 Project Description 2 Requirements Specification 2 Functional Requirements 2
More informationSAML SSO Configuration
SAML SSO Configuration Overview of Single Sign-, page 1 Benefits of Single Sign-, page 2 Overview of Setting Up SAML 2.0 Single Sign-, page 3 SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting
More informationCloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper
Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper TABLE OF CONTENTS INTRODUCTION... 3 Where we came from... 3 The User s Dilemma with the Cloud... 4 The Administrator
More informationOpenID Single Sign On and OAuth Data Access for Google Apps. Ryan Boyd @ryguyrg Dave Primmer May 2010
OpenID Single Sign On and OAuth Data Access for Google Apps Ryan Boyd @ryguyrg Dave Primmer May 2010 Why? View live notes and questions about this session on Google Wave: http://bit.ly/magicwave Agenda
More informationFIDO Modern Authentication Rolf Lindemann, Nok Nok Labs
Rolf Lindemann, Nok Nok Labs cv cryptovision GmbH T: +49 (0) 209.167-24 50 F: +49 (0) 209.167-24 61 info(at)cryptovision.com 1 Authentication in Context Single Sign-On Modern Authentication Federation
More informationSafewhere*Identify 3.4. Release Notes
Safewhere*Identify 3.4 Release Notes Safewhere*identify is a new kind of user identification and administration service providing for externalized and seamless authentication and authorization across organizations.
More informationWHITE PAPER Usher Mobile Identity Platform
WHITE PAPER Usher Mobile Identity Platform Security Architecture For more information, visit Usher.com info@usher.com Toll Free (US ONLY): 1 888.656.4464 Direct Dial: 703.848.8710 Table of contents Introduction
More informationSingle Sign On. SSO & ID Management for Web and Mobile Applications
Single Sign On and ID Management Single Sign On SSO & ID Management for Web and Mobile Applications Presenter: Manish Harsh Program Manager for Developer Marketing Platforms of NVIDIA (Visual Computing
More informationGetting Started with AD/LDAP SSO
Getting Started with AD/LDAP SSO Active Directory and LDAP single sign- on (SSO) with Syncplicity Business Edition accounts allows companies of any size to leverage their existing corporate directories
More informationDigital Identity Management
Digital Identity Management Roohul Halim Syed Atif Shaharyar Email: {rooha433, syesh740}@student.liu.se Supervisor: Anna Vapen, {annva@ida.liu.se} Project Report for Information Security Course Linköpings
More informationEnterprise SSO Manager (E-SSO-M)
Enterprise SSO Manager (E-SSO-M) Many resources, such as internet applications, internal network applications and Operating Systems, require the end user to log in several times before they are empowered
More informationSalesforce1 Mobile Security Guide
Salesforce1 Mobile Security Guide Version 1, 1 @salesforcedocs Last updated: December 8, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,
More informationAuthentication and Authorization for Mobile Devices
Authentication and Authorization for Mobile Devices Bachelor of Science Thesis in Software Engineering and Management NAVID RANJBAR MAHDI ABDINEJADI The Author grants to Chalmers University of Technology
More informationSOA, case Google. Faculty of technology management 07.12.2009 Information Technology Service Oriented Communications CT30A8901.
Faculty of technology management 07.12.2009 Information Technology Service Oriented Communications CT30A8901 SOA, case Google Written by: Sampo Syrjäläinen, 0337918 Jukka Hilvonen, 0337840 1 Contents 1.
More informationSingle Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites
Single Sign On (SSO) Implementation Manual For Connect 5 & MyConnect Sites Version 6 Release 5.7 September 2013 1 What is Blackboard Connect Single Sign On?... 3 How it Works... 3 Drawbacks to Using Single
More informationWHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)
WHITE PAPER Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ) SEPTEMBER 2004 Overview Password-based authentication is weak and smart cards offer a way to address this weakness,
More informationIntroducing Shibboleth
workshop Introducing Shibboleth MPG-AAI Workshop Clarin Centers Prague 2009 2009-11-06 MPG-AAI MPG-AAI a MPG-wide Authentication & Authorization Infrastructure for access control to web-based resources
More informationSCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS
SCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS 1,2 XIANG LIYUN, 1 FANG ZHIYI, 1 SUN HONGYU 1 College of Computer Science and Technology, Jilin University, Changchun, China 2 Department of Computer
More informationIn fact, one of the biggest challenges that the evolution of the Internet is facing today, is related to the question of Identity Management [1].
1. Introduction Using the Internet has become part of the daily habits of a constantly growing number of people, and there are few human activities that can be performed without accessing the enormous
More informationIntegrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER
Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Table of Contents Introduction.... 3 Requirements.... 3 Horizon Workspace Components.... 3 SAML 2.0 Standard.... 3 Authentication
More informationSAML Authentication with BlackShield Cloud
SAML Authentication with BlackShield Cloud Powerful Authentication Management for Service Providers and Enterprises Version 3.1 Authentication Service Delivery Made EASY Copyright Copyright 2011. CRYPTOCARD
More informationIVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0
International Virtual Observatory Alliance IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0 IVOA Proposed Recommendation 20151029 Working group http://www.ivoa.net/twiki/bin/view/ivoa/ivoagridandwebservices
More informationAn Identity Management Survey. on Cloud Computing
Int. Journal of Computing and Optimization, Vol. 1, 2014, no. 2, 63-71 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ijco.2014.458 An Identity Management Survey on Cloud Computing Ardi BENUSI
More informationIdentity Management im Liberty Alliance Project
Rheinisch-Westfälische Technische Hochschule Aachen Lehrstuhl für Informatik IV Prof. Dr. rer. nat. Otto Spaniol Identity Management im Liberty Alliance Project Seminar: Datenkommunikation und verteilte
More informationTrend of Federated Identity Management for Web Services
30 Trend of Federated Identity Management for Web Services Chulung Kim, Sangyong Han Abstract While Web service providers offer different approaches to implementing security, users of Web services demand
More informationEnabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver
Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver SAP Product Management, SAP NetWeaver Identity Management
More informationHow Single-Sign-On Improves The Usability Of Protected Services For Geospatial Data
2014 Fifth International Conference on Computing for Geospatial Research and Application How Single-Sign-On Improves The Usability Of Protected Services For Geospatial Data Andreas Matheus University of
More informationA Standards-based Mobile Application IdM Architecture
A Standards-based Mobile Application IdM Architecture Abstract Mobile clients are an increasingly important channel for consumers accessing Web 2.0 and enterprise employees accessing on-premise and cloud-hosted
More informationE-Authentication Federation Adopted Schemes
E-Authentication Federation Adopted Schemes Version 1.0.0 Final May 4, 2007 Document History Status Release Date Comment Audience Template 0.0.0 1/18/06 Outline PMO Draft 0.0.1 1/19/07 Initial draft Internal
More informationLiberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009
CSRF Review Liberty Alliance CPSC 328 Spring 2009 Quite similar, yet different from XSS Malicious script or link involved Exploits trust XSS - exploit user s trust in the site CSRF - exploit site s trust
More informationWeb Applications Access Control Single Sign On
Web Applications Access Control Single Sign On Anitha Chepuru, Assocaite Professor IT Dept, G.Narayanamma Institute of Technology and Science (for women), Shaikpet, Hyderabad - 500008, Andhra Pradesh,
More informationCase Study: SSO for All: SSOCircle Makes Single Sign-On Available to Everyone
Case Study: SSO for All: SSOCircle Makes Single Sign-On Available to Everyone Although single sign-on (SSO) technology based on Liberty standards is being rapidly adopted by businesses, governments and
More informationOAuth Web Authorization Protocol Barry Leiba
www.computer.org/internet computing OAuth Web Authorization Protocol Barry Leiba Vol. 16, No. 1 January/February, 2012 This material is presented to ensure timely dissemination of scholarly and technical
More informationHTTP Mutual authentication and Web security
HTTP Mutual authentication and Web security Yutaka OIWA SAAG, IETF 80 Prague Web security Its importance no need to say Transaction security (credit card, PayPal etc.) User data privacy Most online consumer
More informationTenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved.
Tenrox Single Sign-On (SSO) Setup Guide January, 2012 2012 Tenrox. All rights reserved. About this Guide This guide provides a high-level technical overview of the Tenrox Single Sign-On (SSO) architecture,
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 10 Authentication and Account Management Objectives Describe the three types of authentication credentials Explain what single sign-on
More informationIdentity Federation Broker for Service Cloud
2010 International Conference on Sciences Identity Federation Broker for Cloud He Yuan Huang 1, Bin Wang 1, Xiao Xi Liu 1, Jing Min Xu 1 1 IBM Research China {huanghey, wangbcrl, liuxx, xujingm}@cn.ibm.com
More informationPerceptive Experience Single Sign-On Solutions
Perceptive Experience Single Sign-On Solutions Technical Guide Version: 2.x Written by: Product Knowledge, R&D Date: January 2016 2016 Lexmark International Technology, S.A. All rights reserved. Lexmark
More informationHow to create a SP and a IDP which are visible across tenant space via Config files in IS
How to create a SP and a IDP which are visible across tenant space via Config files in IS This Documentation is explaining the way to create a SP and IDP which works are visible to all the tenant domains.
More informationSingle Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1
Overview, page 1 Using SSO with the Cisco WebEx and Cisco WebEx Meeting Applications, page 1 Requirements, page 2 Configuration of in Cisco WebEx Messenger Administration Tool, page 3 Sample Installation
More informationINTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
INTEGRATION GUIDE DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is
More informationInternet-Scale Identity Systems: An Overview and Comparison
Internet-Scale Identity Systems: An Overview and Comparison Overview An Internet-scale identity system is an architecture that defines standardized mechanisms enabling the identity attributes of its users
More informationELM Manages Identities of 4 Million Government Program Users with. Identity Server
ELM Manages Identities of 4 Million Government Program Users with Identity Server ELM Implements Single Sign-on With WSO2 Identity Server to Streamline Administration, Improve Productivity, and Reduce
More informationKEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS
KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS Plurilock Security Solutions Inc. www.plurilock.com info@plurilock.com 2 H IGHLIGHTS: PluriPass is Plurilock static keystroke dynamic biometric
More informationMicrosoft.NET Passport, a solution of single sign on
Microsoft.NET Passport, a solution of single sign on Zheng Liu Department of Computer Science University of Auckland zliu025@ec.auckland.ac.nz Abstract: As the World Wide Web grows rapidly, accessing web-based
More informationSAML Authentication Quick Start Guide
SAML Authentication Quick Start Guide Powerful Authentication Management for Service Providers and Enterprises Authentication Service Delivery Made EASY Copyright 2013 SafeNet, Inc. All rights reserved.
More informationApplication Security Testing. Generic Test Strategy
Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication
More informationSAML AS AN SSO STANDARD FOR CUSTOMER IDENTITY MANAGEMENT. How to Create a Frictionless, Secure Customer Identity Management Strategy
SAML AS AN SSO STANDARD FOR CUSTOMER IDENTITY MANAGEMENT How to Create a Frictionless, Secure Customer Identity Management Strategy PART 1: WHAT IS SAML? SAML in Context Security Assertion Markup Language
More informationPARTNER INTEGRATION GUIDE. Edition 1.0
PARTNER INTEGRATION GUIDE Edition 1.0 Last Revised December 11, 2014 Overview This document provides standards and guidance for USAA partners when considering integration with USAA. It is an overview of
More informationExtending DigiD to the Private Sector (DigiD-2)
TECHNISCHE UNIVERSITEIT EINDHOVEN Department of Mathematics and Computer Science MASTER S THESIS Extending DigiD to the Private Sector (DigiD-2) By Giorgi Moniava Supervisors: Eric Verheul (RU, PwC) L.A.M.
More informationSWIFT: Advanced identity management
SWIFT: Advanced identity management Elena Torroglosa, Alejandro Pérez, Gabriel López, Antonio F. Gómez-Skarmeta and Oscar Cánovas Department of Information and Communications Engineering University of
More informationCopyright Pivotal Software Inc, 2013-2015 1 of 10
Table of Contents Table of Contents Getting Started with Pivotal Single Sign-On Adding Users to a Single Sign-On Service Plan Administering Pivotal Single Sign-On Choosing an Application Type 1 2 5 7 10
More information