Why Identity Management. Identity Management. What We Cover. Role of Digital Identity. Digital Identity. Digital Identity (or network identity)

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Why Identity Management. Identity Management. What We Cover. Role of Digital Identity. Digital Identity. Digital Identity (or network identity)"

Transcription

1 Why Identity Management Identity Management Claudiu Duma Identity crisis Privacy concerns Identity theft Terrorist threat Department of Computer and Information Science What We Cover Digital Identity (or network identity) Digital identity Problems with digital identity Requirements Identity management systems Collection of information relating to an individual, created and managed as a single unit, stored in electronic format in a given identity system. AKA user account, record, profile Digital Identity Role of Digital Identity May contain: Real attributes of an individual Personally identifiable information (PII) May or may not be traceable to an individual (person) Prerequisite for: Authorization and access control Logging and accountability Reputation 1

2 Multiple Identities Multiple Identity Systems Digital Identity on the Internet: Current Problems 1. Inconvenience 2. Inconsistence 3. In-transience 4. Insecurity 5. Privacy Problems: Inconvenience Problems: Inconsistency People have to Register and create multiple accounts Create strong, independent passwords Remember or securely store all this info Change passwords regularly Human or machine Many sites require CAPTCHAs Various types of registration/login systems around Many, many different authentication schemes Functionality greatly varies across these systems Problems: In-transience Online identity is not transitive An account in domain A is useless at domain B So is reputation, credibility, credit, experience across domains Problems: Insecurity Current infrastructure is basically insecure People lose/leak passwords People choose weak passwords Users machines can be compromised Trojans, Keyloggers, etc. Servers could be compromised too E.g. Lexis-Nexis massive leak Find and attack the weakest link! 2

3 Problem: Privacy Identity Management (IdM) Sites collect a lot of personal data Users can not control their disclosed data Vast propagation of sensitive information Very prone to leaking. Leaks are also vulnerable to weakest link. Provides the tools for managing identities In a consistent, automated, interoperable, secure, and privacy preserving way Main functionalities Single sign-on (SSO) Attribute sharing Stakeholders and Their Main Requirements Identity Management Components Users Convenience Control the disclosure and propagation of their data Service Providers User authentication Access control to resources Governments Reliable I&A of individuals Reliable signature User Identity Manager Services Architectural Choices User-centric IdM Centralized IdM Federated IdM National digital identity infrastructures Centralized IdM Systems 3

4 Centralized IdM: Microsoft Pasport Goal a one-stop-shop where personal information is stored and used for online activity Provides Single sign-on Wallet: credit card info, contact info, etc. Microsoft Passport Architecture Wallet functionality is similar 1. Request page at SP 2. Redirect to Passport Server 3. Checks Ticket Granting Cookie (TGC) 4. If not existent, MPS authenticates user 5. MPS sets TGC (encrypted with K MPS ) 6. MPS redirects to SP, with token (encrypted with K MPS-SP ) in header 7. MPS sets an encrypted cookie Service Provider (SP) Microsoft Passport Server (MPS) Cookies as Authenticators Problem No proof of cookie ownership Cookies can be stolen and reused E.g. Cross Site Scripting (XSS) In Kerberos, proof of token ownership is required Remedy? token proof Concerns with the Passport Vulnerable to several attacks Cross site scripting Bogus merchant Man-in-the-middle DNS attack Reshaped into Windows Live ID! Security concerns User interface Key management Central point of attack Persistent cookies Automatic credential assignment Privacy concerns All under control of Microsoft Federated IdM Systems Federated IdM: Liberty Alliance Goal Link user identities at different systems Dominant industry effort An open standard for Federated IdM Aims at providing and supporting interoperability Different implementations exists Provides SSO Cross domain data (attribute) sharing Anonymous data sharing 4

5 2. IDP sets a cookie Liberty Alliance Architecture Liberty Liberty Identity Identity Federation Framework (ID-FF) (ID-FF) Identity federation Account linkage SSO Liberty Liberty Identity Identity Service Service Interface Specifications (ID-SS) (ID-SS) Enables interoperable identity services such as alert, calendar, wallet, contacts, geo-location, etc. Liberty Liberty Identity Identity Web Web Service Service Framework (ID-WSF) Framework for interoperable identity services, permission based identity sharing, identity service description and discovery, etc. Liberty Liberty specifications build build on on existing existing standards XML, XML, SAML, SAML, SOAP SOAP Circle of Trust Model Principal G F F A Network identity providers E E D Circle of trust Business agreements Service level agreements (SLA) Policies, guidelines, acceptable use policies (AUP) Identity provider (IDP) (e.g. a bank) Authentication infrastructure Maintains core identity attributes B C Service providers (SPs) Offer services Don t need to invest in authentication infrastructure Identity Federation Identity Federation Identity linking IDP IDP Alice federates some of her identities, but not all of them Federated Identity Life-Cycle Federate an Identity: Introduction Metadata Metadata exchange exchange Federation Federation Single Single sign-on sign-on (already (already federated) federated) Name Name registration registration Airline. Inc (IDP) Welcome Alice You Airline. may federate Inc (IDP) your Airline.inc identity with any Member other of identities AAG you may Login: have with Alice members of our affinity group Alice AAG Pass: ***** Do you consent? ***** Yes Yes CarRental.inc (SP) Single Single logout logout Federation Federation termination termination Opt-in policy! 1. Logins to IDP Airline.Inc (IDP) 5

6 Federate an Identity: Account Linking CarRental.Inc Welcome Alice123 We CarRental.Inc noticed you recently sign-on to Airline.inc Member of AAG Would you like to federate Login: your CarRental.inc Alice123 Alice123 and Pass: Airline.inc ***** identities? ***** Yes Yes 5. Asks for federation 4. Checks cookie 3. Logins to SP CarRental.inc (SP) Common Domain Cookies Airline.Inc (IDP) Circle of trust common domain XXX.AGG.inc Airline.AGG.inc Common domain service sets cookie CarRental.AGG.inc Common domain service reads cookie CarRental.inc (SP) Airline.inc (IDP) Account Linking Multiple IdP and Multiple IDs IDP account Federate account Alias: mr3ttj Domain:.com Name: dtvlir Alias: xyrvds Domain:.com Name: pfk9uz account Federate account Alias: dtvlir Domain: IDP.com Name: mr3ttj work profile IDP1 IDP1 account home profile User handlers no global ID prevents collusion between SPs Federate account Alias: pfk9uz Domain: IDP.com Name: xyrvds Needs mechanisms to discern among IDPs and SPs IDP2 IDP2 SP4 SP4 Generic SSO Example: SSO with Browser Artifact 6. User gets service from SP 1. User accesses SP CarRental.inc (SP) 5. Authentication assertion checked 4.1. Back channel 4. Auth assertion or handle to assertion 2. AuthRequest() 3. Authentication assertion issued 0. Logins to IDP Airline.inc (IDP) 6

7 Assertions Signed claims Use Security Assertion Meta Language (SAML) SAML assertions Authentication assertion Authorization decision assertion Attribute assertion XML-based SAML Assertion Example <saml:assertion AssertionID="SqMC8Hs2vJ7Z+t4UiLSmhKOSUO0U > <saml:conditions NotBefore=" T21:42:12Z" NotOnOrAfter=" T21:42: 43Z"> </saml:conditions> <saml:authenticationstatement AuthenticationMethod= "urn:oasis:names: :password"> <saml:subject xsi:type="lib:subjecttype"> <saml:nameidentifier Format="urn:liberty:..:federated"> C9FfGouQdBJ7bpkismYgd8ygeVb3PlWK </saml:nameidentifier> <lib:idpprovidednameidentifier> C9FfGouQdBJ7bpkismYgd8ygeVb3PlWK </lib:idpprovidednameidentifier> </saml:subject> </saml:authenticationstatement> <ds:signature> <ds:digestvalue> ZbscbqHTX9H8bBftRIWlG4Epv1A= </ds:digestvalue> <ds:signaturevalue> H+q3nC3jUalj1uKUVkcC4iTFClxeZQIFF0nv HqPS5oZhtkBaDb </ds:signaturevalue> </ds:signature> </saml:assertion> Permission-Based Attribute Sharing Permission-Based Attribute Sharing 1. Access site and buy 2. Shipping address? 3. Use my profile SP 4. Where is AP? 5. Use this AP 6. Give me address 10. Here is the address IDP Liberty specifies only technical guidelines No common interface for setting policies Liberty specification enables Principal s privacy but do not ensure it. 7. Check permission 8. Give permission 9. Could store permission Identity service could be the user! Attribute Provider (AP) Concerns with Liberty Alliance Concerns with Liberty Alliance User incur security & privacy problems Security One secret gives access to everything IdP can impersonate users across the circle of trust IdP can falsely deny access to users across the circle of trust Privacy IdP has real-time surveillance capabilities IdP and SPs may share user information Opt-in policy not very popular SPs lose their information autonomy IdP is one point of failure IdP has real-time surveillance capabilities Competitive intelligence of which users are services at what time All data sharing must go through IdP Liberty doesn't specify how authentication relations are maintained Maybe susceptible to same attacks as Passport 7

8 Other Federated IdM Systems WS-Federation An identity metasystem Set of protocols for distributing claims Based on SAML IBM, Microsoft, etc. working with OASIS Open standard User-centric IdM Systems User-centric (or local) IdM User-centric IdM Goals: No trusted third party Support multiple identities Avoid the interchange of user data between other parties Really keeps the user in control! Base idea: user is its own IdM Alice s profiles Identity Manager 1 2 HTML / HTTP 3 4 SOAP / HTTP SP Identity Agent Info about users Limitation of User-centered IdM Information is stored in two places Unsigned claims Not-portable Security of the client! End-user computer could be compromised Possible solution: Trusted Computing Platform National Digital Identity Infrastructure 8

9 National IdM Infrastructure Security Requirements e-government The interaction between state authorities and society with help of information and communication technology Goals: Improves services for citizens (e-voting, e-taxes, etc) Reduce retention periods and costs Major requirements: Security and privacy (paramount) Scalability Flexibility Entity authentication Data origin authentication Confidentiality Non-repudiation Electronic Signature Requirements for qualified signature (EU directive) Created by a secure signature-creation device (SSCD) In contact with the signature-creation data (Private key) Based on qualified certificate Contains the signature verification data (Public key) Certification service providers (CSP) Public or private organizations that asses SSCDs and CSPs Case Study: Austrian Citizen Card Signature-Creation System PIN should not be intercepted Data to be signed (DTBS) should not contain dynamic or hidden information Display should be trustworthy What you see is what you sign! Identification: Austrian Citizen Card Prohibit Inference: Sector Tags Goal: Unequivocally establish the individual Avoid digital twins! X509 certificates use distinguished names / O=LiU / OU=IDA / CN=Claudiu Duma / Qualified certificates use persona binding Name + CRR Number + date of birth CRR = Central Register of Residents 9

10 Application Environment Concerns and Challenges Concerns Integrity of the capsule and the trusted-paths Revocation of compromised certificates Tamper-resistance Further challenges Cross border IdM (Pan-European digital ID) Open the infrastructure to private sector (typical service providers) 10

Liberty Specs Tutorial WWW.PROJECTLIBERTY.ORG

Liberty Specs Tutorial WWW.PROJECTLIBERTY.ORG Liberty Specs Tutorial WWW.PROJECTLIBERTY.ORG 1 Introduction to Liberty Alliance Overview & Key Concepts Resources Architecture and Spec documents Phase 1 - ID-FF Federated identity life-cycle Metadata

More information

Federated Identity Management Solutions

Federated Identity Management Solutions Federated Identity Management Solutions Jyri Kallela Helsinki University of Technology jkallela@cc.hut.fi Abstract Federated identity management allows users to access multiple services based on a single

More information

Identity Management im Liberty Alliance Project

Identity Management im Liberty Alliance Project Rheinisch-Westfälische Technische Hochschule Aachen Lehrstuhl für Informatik IV Prof. Dr. rer. nat. Otto Spaniol Identity Management im Liberty Alliance Project Seminar: Datenkommunikation und verteilte

More information

Trusting XBRL: Using the Liberty Web Services Framework to Secure and Authenticate XBRL Documents

Trusting XBRL: Using the Liberty Web Services Framework to Secure and Authenticate XBRL Documents Trusting XBRL: Using the Liberty Web Services Framework to Secure and Authenticate XBRL Documents Farrukh Najmi and Eve Maler farrukh.najmi@sun.com, eve.maler@sun.com Sun Microsystems, Inc. Goals for today's

More information

Extending DigiD to the Private Sector (DigiD-2)

Extending DigiD to the Private Sector (DigiD-2) TECHNISCHE UNIVERSITEIT EINDHOVEN Department of Mathematics and Computer Science MASTER S THESIS Extending DigiD to the Private Sector (DigiD-2) By Giorgi Moniava Supervisors: Eric Verheul (RU, PwC) L.A.M.

More information

Liberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009

Liberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009 CSRF Review Liberty Alliance CPSC 328 Spring 2009 Quite similar, yet different from XSS Malicious script or link involved Exploits trust XSS - exploit user s trust in the site CSRF - exploit site s trust

More information

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia ei09095@fe.up.pt. Pedro Borges ei09063@fe.up.pt

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia ei09095@fe.up.pt. Pedro Borges ei09063@fe.up.pt Computer Systems Security 2013/2014 Single Sign-On Bruno Maia ei09095@fe.up.pt Pedro Borges ei09063@fe.up.pt December 13, 2013 Contents 1 Introduction 2 2 Explanation of SSO systems 2 2.1 OpenID.................................

More information

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver SAP Product Management, SAP NetWeaver Identity Management

More information

Evaluation of different Open Source Identity management Systems

Evaluation of different Open Source Identity management Systems Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems

More information

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion. Web Services Security: OpenSSO and Access Management for SOA Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.com 1 Agenda Need for Identity-based Web services security Single Sign-On

More information

Introduction to Identity Management. Sam Lee, Outblaze Ltd.

Introduction to Identity Management. Sam Lee, Outblaze Ltd. Introduction to Identity Management Sam Lee, Outblaze Ltd. Agenda Background Identity Management Single Sign-On Federation Future s Identity management Conclusions 2 Background Why identity management?

More information

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS APPLICATION NOTE IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS SAML 2.0 combines encryption and digital signature verification across resources for a more

More information

Identity Management. Audun Jøsang University of Oslo. NIS 2010 Summer School. September 2010. http://persons.unik.no/josang/

Identity Management. Audun Jøsang University of Oslo. NIS 2010 Summer School. September 2010. http://persons.unik.no/josang/ Identity Management Audun Jøsang University of Oslo NIS 2010 Summer School September 2010 http://persons.unik.no/josang/ Outline Identity and identity management concepts Identity management models User-centric

More information

Network Identity. 1. Introduction. Kai Kang Helsinki University of Technology Networking Laboratory kkang@cc.hut.fi

Network Identity. 1. Introduction. Kai Kang Helsinki University of Technology Networking Laboratory kkang@cc.hut.fi Network Identity Kai Kang Helsinki University of Technology Networking Laboratory kkang@cc.hut.fi Abstract: This paper is concerning on modern Network Identity issues, emphasizing on network identity management,

More information

Federated Identity Architectures

Federated Identity Architectures Federated Identity Architectures Uciel Fragoso-Rodriguez Instituto Tecnológico Autónomo de México, México {uciel@itam.mx} Maryline Laurent-Maknavicius CNRS Samovar UMR 5157, GET Institut National des Télécommunications,

More information

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Implementation Guide SAP NetWeaver Identity Management Identity Provider Implementation Guide SAP NetWeaver Identity Management Identity Provider Target Audience Technology Consultants System Administrators PUBLIC Document version: 1.10 2011-07-18 Document History CAUTION Before

More information

TIB 2.0 Administration Functions Overview

TIB 2.0 Administration Functions Overview TIB 2.0 Administration Functions Overview Table of Contents 1. INTRODUCTION 4 1.1. Purpose/Background 4 1.2. Definitions, Acronyms and Abbreviations 4 2. OVERVIEW 5 2.1. Overall Process Map 5 3. ADMINISTRATOR

More information

New Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation

New Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation New Single Sign-on Options for IBM Lotus Notes & Domino 2012 IBM Corporation IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole

More information

Glossary of Key Terms

Glossary of Key Terms and s Branch Glossary of Key Terms The terms and definitions listed in this glossary are used throughout the s Package to define key terms in the context of. Access Control Access The processes by which

More information

Enabling SAML for Dynamic Identity Federation Management

Enabling SAML for Dynamic Identity Federation Management Enabling SAML for Dynamic Identity Federation Management Patricia Arias, Florina Almenárez, Andrés Marín and Daniel Díaz-Sánchez University Carlos III of Madrid http://pervasive.gast.it.uc3m.es/ WMNC 2009

More information

Flexible Identity Federation

Flexible Identity Federation Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services

More information

Negotiating Trust in Identity Metasystem

Negotiating Trust in Identity Metasystem Negotiating Trust in Identity Metasystem Mehmud Abliz Department of Computer Science University of Pittsburgh Pittsburgh, Pennsylvania 15260 mehmud@cs.pitt.edu Abstract Many federated identity management

More information

Nationwide and Regional Health Information Networks and Federated Identity for Authentication and HIPAA Compliance

Nationwide and Regional Health Information Networks and Federated Identity for Authentication and HIPAA Compliance Nationwide and Regional Health Information Networks and Federated Identity for Authentication and HIPAA Compliance Christina Stephan, MD Co-Chair Liberty Alliance ehealth SIG National Library of Medicine

More information

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access

More information

Designing federated identity management architectures for addressing the recent attacks against online financial transactions.

Designing federated identity management architectures for addressing the recent attacks against online financial transactions. Designing federated identity management architectures for addressing the recent attacks against online financial transactions. Dr. Christos K. Dimitriadis Security Officer INTRALOT S.A. Scope and Agenda

More information

OIO Web SSO Profile V2.0.5

OIO Web SSO Profile V2.0.5 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

More information

Enhancing Web Application Security

Enhancing Web Application Security Enhancing Web Application Security Using Another Authentication Factor Karen Lu and Asad Ali Gemalto, Inc. Technology & Innovations Austin, TX, USA Overview Introduction Current Statet Smart Cards Two-Factor

More information

Internet Single Sign-On Systems

Internet Single Sign-On Systems Internet Single Sign-On Systems Radovan SEMANČÍK nlight, s.r.o. Súľovská 34, 812 05 Bratislava, Slovak Republic semancik@nlight.sk Abstract. This document describes the requirements and general principles

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

Web Services and Federated Identity Management

Web Services and Federated Identity Management Web Services and Federated Identity Management Birgit Pfitzmann, bpf@zurich.ibm.com with Thomas Gross, Ahmad Sadeghi DIMACS, May 6, 2005 www.zurich.ibm.com What s New about Federated Identity Management?

More information

Authentication Methods

Authentication Methods Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the

More information

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN 1 Venkadesh.M M.tech, Dr.A.Chandra Sekar M.E., Ph.d MISTE 2 1 ResearchScholar, Bharath University, Chennai 73, India. venkadeshkumaresan@yahoo.co.in 2 Professor-CSC

More information

SAML Security Option White Paper

SAML Security Option White Paper Fujitsu mpollux SAML Security Option White Paper Fujitsu mpollux Version 2.1 February 2009 First Edition February 2009 The programs described in this document may only be used in accordance with the conditions

More information

CS 356 Lecture 28 Internet Authentication. Spring 2013

CS 356 Lecture 28 Internet Authentication. Spring 2013 CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

SAML Federated Identity at OASIS

SAML Federated Identity at OASIS International Telecommunication Union SAML Federated Identity at OASIS Hal Lockhart BEA Systems Geneva, 5 December 2006 SAML and the OASIS SSTC o SAML: Security Assertion Markup Language A framework for

More information

WebLogic Server 7.0 Single Sign-On: An Overview

WebLogic Server 7.0 Single Sign-On: An Overview WebLogic Server 7.0 Single Sign-On: An Overview Today, a growing number of applications are being made available over the Web. These applications are typically comprised of different components, each of

More information

Information Security Group Active-client based identity management

Information Security Group Active-client based identity management Active-client based identity management Chris Mitchell Royal Holloway, University of London www.chrismitchell.net 1 Acknowledgements This is joint work with Haitham Al-Sinani, also of Royal Holloway. 2

More information

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain Title: A Client Middleware for Token-Based Unified Single Sign On to edugain Sascha Neinert Computing Centre University of Stuttgart, Allmandring 30a, 70550 Stuttgart, Germany e-mail: sascha.neinert@rus.uni-stuttgart.de

More information

Identity Management. Critical Systems Laboratory

Identity Management. Critical Systems Laboratory Identity Management Critical Systems What is Identity Management? Identity: a set of attributes and values, which might or might not be unique Storing and manipulating identities Binding virtual identities

More information

NIST s Guide to Secure Web Services

NIST s Guide to Secure Web Services NIST s Guide to Secure Web Services Presented by Gaspar Modelo-Howard and Ratsameetip Wita Secure and Dependable Web Services National Institute of Standards and Technology. Special Publication 800-95:

More information

The increasing popularity of mobile devices is rapidly changing how and where we

The increasing popularity of mobile devices is rapidly changing how and where we Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to

More information

Identity opens the participation age. Dr. Rainer Eschrich. Program Manager Identity Management Sun Microsystems GmbH

Identity opens the participation age. Dr. Rainer Eschrich. Program Manager Identity Management Sun Microsystems GmbH Identity opens the participation age Open Web Single Sign- On und föderierte SSO Dr. Rainer Eschrich Program Manager Identity Management Sun Microsystems GmbH Agenda The Identity is the Network Driving

More information

Revised edition. OIO Web SSO Profile V2.0.9 (also known as OIOSAML 2.0.9) Includes errata and minor clarifications

Revised edition. OIO Web SSO Profile V2.0.9 (also known as OIOSAML 2.0.9) Includes errata and minor clarifications OIO Web SSO Profile V2.0.9 (also known as OIOSAML 2.0.9) Revised edition Includes errata and minor clarifications Danish Agency for Digitisation September 2012 Contents > 1 Introduction 8 1.1 Referenced

More information

Disclaimer. SAP 2008 / SAP TechEd 08 / SIM202 / Page 2

Disclaimer. SAP 2008 / SAP TechEd 08 / SIM202 / Page 2 SIM202 SAML 2.0 and Identity Federation Yonko Yonchev, NW PM Security SAP AG Dimitar Mihaylov, NW Security and Identity Management SAP Labs Bulgaria Tsvetomir Tsvetanov, Active Global Support SAP America

More information

New Generation of Liberty. for Enterprise. Fulup Ar Foll, Sun Microsystems Fulup@sun.com

New Generation of Liberty. for Enterprise. Fulup Ar Foll, Sun Microsystems Fulup@sun.com New Generation of Liberty TEG Federated Progress Architecture Update for Enterprise Fulup Ar Foll, Sun Microsystems fulup@sun.com 1 Identity Framework Problematic User Seamless (nothing is too simple)

More information

Using SAML for Single Sign-On in the SOA Software Platform

Using SAML for Single Sign-On in the SOA Software Platform Using SAML for Single Sign-On in the SOA Software Platform SOA Software Community Manager: Using SAML on the Platform 1 Policy Manager / Community Manager Using SAML for Single Sign-On in the SOA Software

More information

SAML 2.0 Refresher. Víctor Aké Oslo, Norway August Identity and Federation Architect

SAML 2.0 Refresher. Víctor Aké Oslo, Norway August Identity and Federation Architect SAML 2.0 Refresher Víctor Aké Oslo, Norway August 2008 http://www.projectliberty.org Identity and Federation Architect victor.ake@sun.com SAML 2 What is it? What does it do? How does it work? SAML2 components

More information

IAM Application Integration Guide

IAM Application Integration Guide IAM Application Integration Guide Date 03/02/2015 Version 0.1 DOCUMENT INFORMATIE Document Title IAM Application Integration Guide File Name IAM_Application_Integration_Guide_v0.1_SBO.docx Subject Document

More information

Federated Identity in the Enterprise

Federated Identity in the Enterprise www.css-security.com 425.216.0720 WHITE PAPER The proliferation of user accounts can lead to a lowering of the enterprise security posture as users record their account information in order to remember

More information

Web Services Security and Federated Identity Management

Web Services Security and Federated Identity Management Web Services Security and Federated Identity Management Birgit Pfitzmann, bpf@zurich.ibm.com with Thomas Gross March 8, 2005 www.zurich.ibm.com Federated Identity Management (FIM) Roles Exchange Possible?

More information

E-Authentication Federation Adopted Schemes

E-Authentication Federation Adopted Schemes E-Authentication Federation Adopted Schemes Version 1.0.0 Final May 4, 2007 Document History Status Release Date Comment Audience Template 0.0.0 1/18/06 Outline PMO Draft 0.0.1 1/19/07 Initial draft Internal

More information

An Anti-Phishing mechanism for Single Sign-On based on QR-Code

An Anti-Phishing mechanism for Single Sign-On based on QR-Code An Anti-Phishing mechanism for Single Sign-On based on QR-Code Syamantak Mukhopadhyay School of Electronics and Computer Science University of Southampton Southampton, UK sm19g10@ecs.soton.ac.uk David

More information

The Role of Federation in Identity Management

The Role of Federation in Identity Management The Role of Federation in Identity Management August 19, 2008 Andrew Latham Solutions Architect Identity Management 1 The Role of Federation in Identity Management Agenda Federation Backgrounder Federation

More information

Lecture Notes for Advanced Web Security 2015

Lecture Notes for Advanced Web Security 2015 Lecture Notes for Advanced Web Security 2015 Part 6 Web Based Single Sign-On and Access Control Martin Hell 1 Introduction Letting users use information from one website on another website can in many

More information

CA SiteMinder. Federation Security Services Release Notes. r12.0 SP3

CA SiteMinder. Federation Security Services Release Notes. r12.0 SP3 CA SiteMinder Federation Security Services Release Notes r12.0 SP3 This documentation and any related computer software help programs (hereinafter referred to as the "Documentation") are for your informational

More information

QR-SSO : Towards a QR-Code based Single Sign-On system

QR-SSO : Towards a QR-Code based Single Sign-On system QR-SSO : Towards a QR-Code based Single Sign-On system Syamantak Mukhopadhyay School of Electronics and Computer Science University of Southampton Southampton, UK sm19g10@ecs.soton.ac.uk David Argles School

More information

Privacy in Cloud Computing Through Identity Management

Privacy in Cloud Computing Through Identity Management Privacy in Cloud Computing Through Identity Management Bharat Bhargava 1, Noopur Singh 2, Asher Sinclair 3 1 Computer Science, Purdue University 2 Electrical and Computer Engineering, Purdue University

More information

CA Performance Center

CA Performance Center CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is

More information

SCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS

SCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS SCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS 1,2 XIANG LIYUN, 1 FANG ZHIYI, 1 SUN HONGYU 1 College of Computer Science and Technology, Jilin University, Changchun, China 2 Department of Computer

More information

CA Nimsoft Service Desk

CA Nimsoft Service Desk CA Nimsoft Service Desk Single Sign-On Configuration Guide 6.2.6 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

More information

Account Management: A Deployment and Usability Problem Phillip Hallam- Baker VP & Principal Scientist, Comodo Group Inc.

Account Management: A Deployment and Usability Problem Phillip Hallam- Baker VP & Principal Scientist, Comodo Group Inc. Account Management: A Deployment and Usability Problem Phillip Hallam- Baker VP & Principal Scientist, Comodo Group Inc. Abstract Account management is the biggest challenge most Web users face today.

More information

Implementing Identity Provider on Mobile Phone

Implementing Identity Provider on Mobile Phone Implementing Identity Provider on Mobile Phone Tsuyoshi Abe, Hiroki Itoh, and Kenji Takahashi NTT Information Sharing Platform Laboratories, NTT Corporation 3-9-11 Midoricho, Musashino-shi, Tokyo 180-8585,

More information

Identity Federation Management to make Operational and Business Efficiency through SSO

Identity Federation Management to make Operational and Business Efficiency through SSO 2012 International Conference on Industrial and Intelligent Information (ICIII 2012) IPCSIT vol.31 (2012) (2012) IACSIT Press, Singapore Identity Federation Management to make Operational and Business

More information

The Primer: Nuts and Bolts of Federated Identity Management

The Primer: Nuts and Bolts of Federated Identity Management The Primer: Nuts and Bolts of Federated Identity Management Executive Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities.

More information

SAML, The Liberty Alliance, and Federation* Eve Maler eve.maler@sun.com http://www.xmlgrrl.com/blog

SAML, The Liberty Alliance, and Federation* Eve Maler eve.maler@sun.com http://www.xmlgrrl.com/blog SAML, The Liberty Alliance, and Federation* Eve Maler eve.maler@sun.com http://www.xmlgrrl.com/blog IIWb, Mountain View, CA, 4 December 2006 1 When you distribute identity tasks and information in the

More information

Research and Implementation of Single Sign-On Mechanism for ASP Pattern *

Research and Implementation of Single Sign-On Mechanism for ASP Pattern * Research and Implementation of Single Sign-On Mechanism for ASP Pattern * Bo Li, Sheng Ge, Tian-yu Wo, and Dian-fu Ma Computer Institute, BeiHang University, PO Box 9-32 Beijing 100083 Abstract Software

More information

Agenda. How to configure

Agenda. How to configure dlaw@esri.com Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services

More information

Identity Federation Broker for Service Cloud

Identity Federation Broker for Service Cloud 2010 International Conference on Sciences Identity Federation Broker for Cloud He Yuan Huang 1, Bin Wang 1, Xiao Xi Liu 1, Jing Min Xu 1 1 IBM Research China {huanghey, wangbcrl, liuxx, xujingm}@cn.ibm.com

More information

Secure Semantic Web Service Using SAML

Secure Semantic Web Service Using SAML Secure Semantic Web Service Using SAML JOO-YOUNG LEE and KI-YOUNG MOON Information Security Department Electronics and Telecommunications Research Institute 161 Gajeong-dong, Yuseong-gu, Daejeon KOREA

More information

PARTNER INTEGRATION GUIDE. Edition 1.0

PARTNER INTEGRATION GUIDE. Edition 1.0 PARTNER INTEGRATION GUIDE Edition 1.0 Last Revised December 11, 2014 Overview This document provides standards and guidance for USAA partners when considering integration with USAA. It is an overview of

More information

Introduction to SAML

Introduction to SAML Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments

More information

The Primer: Nuts and Bolts of Federated Identity Management

The Primer: Nuts and Bolts of Federated Identity Management The Primer: Nuts and Bolts of Federated Identity Management Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities. With so

More information

SAML Authentication Quick Start Guide

SAML Authentication Quick Start Guide SAML Authentication Quick Start Guide Powerful Authentication Management for Service Providers and Enterprises Authentication Service Delivery Made EASY Copyright 2013 SafeNet, Inc. All rights reserved.

More information

Copyright: WhosOnLocation Limited

Copyright: WhosOnLocation Limited How SSO Works in WhosOnLocation About Single Sign-on By default, your administrators and users are authenticated and logged in using WhosOnLocation s user authentication. You can however bypass this and

More information

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication

More information

OpenHRE Security Architecture. (DRAFT v0.5)

OpenHRE Security Architecture. (DRAFT v0.5) OpenHRE Security Architecture (DRAFT v0.5) Table of Contents Introduction -----------------------------------------------------------------------------------------------------------------------2 Assumptions----------------------------------------------------------------------------------------------------------------------2

More information

Federation Proxy for Cross Domain Identity Federation

Federation Proxy for Cross Domain Identity Federation Proxy for Cross Domain Identity Makoto Hatakeyama NEC Corporation, Common Platform Software Res. Lab. 1753, Shimonumabe, Nakahara-Ku, Kawasaki, Kanagawa 211-8666, Japan +81-44-431-7663 m-hatake@ax.jp.nec.com

More information

Revised edition. OIO Web SSO Profile V2.0.8 (also known as OIOSAML 2.0.8) Includes errata and minor clarifications

Revised edition. OIO Web SSO Profile V2.0.8 (also known as OIOSAML 2.0.8) Includes errata and minor clarifications OIO Web SSO Profile V2.0.8 (also known as OIOSAML 2.0.8) Revised edition Includes errata and minor clarifications Danish Agency for Digitisation December 2011 Contents > 1 Introduction 8 1.1 Referenced

More information

Network-based Access Control

Network-based Access Control Chapter 4 Network-based Access Control 4.1 Rationale and Motivation Over the past couple of years, a multitude of authentication and access control technologies have been designed and implemented. Although

More information

A Data Synchronization based Single Sign-on Schema Supporting Heterogeneous Systems and Multi-Management Mode

A Data Synchronization based Single Sign-on Schema Supporting Heterogeneous Systems and Multi-Management Mode A Data Synchronization based Single Sign-on Schema Supporting Heterogeneous Systems and Multi-Management Mode Haojiang Gao 1 Beijing Northking Technology Co.,Ltd Zhongguancun Haidian Science Park Postdoctoral

More information

D.I.M. allows different authentication procedures, from simple e-mail confirmation to electronic ID.

D.I.M. allows different authentication procedures, from simple e-mail confirmation to electronic ID. Seite 1 von 11 Distributed Identity Management The intention of Distributed Identity Management is the advancement of the electronic communication infrastructure in justice with the goal of defining open,

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

Mid-Project Report August 14 th, 2012. Nils Dussart 0961540

Mid-Project Report August 14 th, 2012. Nils Dussart 0961540 Mid-Project Report August 14 th, 2012 Nils Dussart 0961540 CONTENTS Project Proposal... 3 Project title... 3 Faculty Advisor... 3 Project Scope and Individual Student Learning Goals... 3 Proposed Product

More information

OpenID and identity management in consumer services on the Internet

OpenID and identity management in consumer services on the Internet OpenID and identity management in consumer services on the Internet Kari Helenius Helsinki University of Technology kheleniu@cc.hut.fi Abstract With new services emerging on the Internet daily, users need

More information

An Oracle White Paper Dec 2013. Oracle Access Management Security Token Service

An Oracle White Paper Dec 2013. Oracle Access Management Security Token Service An Oracle White Paper Dec 2013 Oracle Access Management Security Token Service Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only,

More information

IBM WebSphere Application Server

IBM WebSphere Application Server IBM WebSphere Application Server SAML 2.0 web single-sign-on 2012 IBM Corporation This presentation describes support for SAML 2.0 web browser Single Sign On profile included in IBM WebSphere Application

More information

Web Services Security and Federated Identity Management

Web Services Security and Federated Identity Management Web Services Security and Federated Identity Management Birgit Pfitzmann with Th. Gross, A.-S. Sadeghi, M. Waidner PaRISTIC, Bordeaux, Nov. 22, 2005 IBM Security and Privacy Research -- Goals The right

More information

Using WS-Security and SAML for Internet Single Sign On Darren Miller

Using WS-Security and SAML for Internet Single Sign On Darren Miller Using WS-Security and SAML for Internet Single Sign On Darren Miller Abstract Single Sign On solutions are desirable to reduce the number of usernames and passwords that each user has to manage. Managing

More information

Internet-Scale Identity Systems: An Overview and Comparison

Internet-Scale Identity Systems: An Overview and Comparison Internet-Scale Identity Systems: An Overview and Comparison Overview An Internet-scale identity system is an architecture that defines standardized mechanisms enabling the identity attributes of its users

More information

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM Training. @aidy_idm facebook/allidm

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM Training. @aidy_idm facebook/allidm Discovering IAM Solutions Leading the IAM Training @aidy_idm facebook/allidm SSO Introduction Disclaimer and Acknowledgments The contents here are created as a own personal endeavor and thus does not reflect

More information

Federated Identity Providers

Federated Identity Providers Federated Identity Providers and the Ipsilon project Simo Sorce Sr. Princ. Sw. Engineer, Red Hat 2015/02/06 What is Federation? In a nutshell: Dealing with users that you do not control on your own. To

More information

JVA-122. Secure Java Web Development

JVA-122. Secure Java Web Development JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard

More information

SAML SSO Configuration

SAML SSO Configuration SAML SSO Configuration Overview of Single Sign-, page 1 Benefits of Single Sign-, page 2 Overview of Setting Up SAML 2.0 Single Sign-, page 3 SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting

More information

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta Configuration Guide Product Release Document Revisions Published Date 1.0 1.0 May 2016 Pulse Secure, LLC 2700 Zanker Road, Suite 200 San

More information

Shibboleth Identity Provider (IdP) Sebastian Rieger sebastian.rieger@gwdg.de

Shibboleth Identity Provider (IdP) Sebastian Rieger sebastian.rieger@gwdg.de Shibboleth Identity Provider (IdP) Sebastian Rieger sebastian.rieger@gwdg.de Gesellschaft für wissenschaftliche Datenverarbeitung mbh Göttingen, Germany CLARIN AAI Hands On Workshop, 25.02.2009, Oxford

More information

Digital Identity Management

Digital Identity Management Digital Identity Management Roohul Halim Syed Atif Shaharyar Email: {rooha433, syesh740}@student.liu.se Supervisor: Anna Vapen, {annva@ida.liu.se} Project Report for Information Security Course Linköpings

More information

Adding Stronger Authentication to your Portal and Cloud Apps

Adding Stronger Authentication to your Portal and Cloud Apps SOLUTION BRIEF Cyphercor Inc. Adding Stronger Authentication to your Portal and Cloud Apps Using the logintc April 2012 Adding Stronger Authentication to Portals Corporate and consumer portals, as well

More information

2015-11-30. Web Based Single Sign-On and Access Control

2015-11-30. Web Based Single Sign-On and Access Control 0--0 Web Based Single Sign-On and Access Control Different username and password for each website Typically, passwords will be reused will be weak will be written down Many websites to attack when looking

More information

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014 Standards for Identity & Authentication Catherine J. Tilton 17 September 2014 Purpose of these standards Wide deployment of authentication technologies that may be used in a global context is heavily dependent

More information

Whitepaper on AuthShield Two Factor Authentication with ERP Applications

Whitepaper on AuthShield Two Factor Authentication with ERP Applications Whitepaper on AuthShield Two Factor Authentication with ERP Applications By INNEFU Labs Pvt. Ltd Table of Contents 1. Overview... 3 2. Threats to account passwords... 4 2.1 Social Engineering or Password

More information