Identity Management. Audun Jøsang University of Oslo. NIS 2010 Summer School. September
|
|
- Hilary Maxwell
- 8 years ago
- Views:
Transcription
1 Identity Management Audun Jøsang University of Oslo NIS 2010 Summer School September
2 Outline Identity and identity management concepts Identity management models User-centric identity management Management of SP identities Security usability Research challenges 2 2
3 Identity related concepts Entity A person, organisation, agent, system, etc. Identity A set of characteristics of an entity in a specific domain An entity may have multiple identities in the same domain Attributes Representation of a characteristic Transient or permanent, self defined or by authority, suitable for interpretation by humans and/or computers, etc Name is an attribute used as unique identifier Separation between identity and name is blurred in common language Digital identity Identity resulting from digital codification of attributes in a way that is suitable for processing by computer systems 3 3
4 Relationship between Entities, Identities and Attributes Entities correspond to Identities consist of Attributes systems persons names characteristics organisations 4 4
5 What is identity management? Representing and recognising entities as digital identities Managing name spaces Managing & issuing authentication credentials Covers AAA (Authentication, Access Control and Accounting) First identify, then authenticate, finally control access 5 5
6 Aspects of Identity Management technical cultural organisational psychological IdMan political social business & economical legal 6 6
7 Identity & access management Identity Representing and entities as digital identities Managing name spaces of unique names Mapping identities between domains Authentication Registration Credentials management Entity authentication Access Authorization Access control Accounting AAA: Authentication, Authorization & Accounting Identity Management Access Management 7 7
8 Authorization and Access Control Authorization Access rules specification Access Control John Mary HR Sales Policy definition by authority Policy encoding by custodian Policy enforcement by system 8 8
9 Basic Concepts Access control consists of: offline procedures, executed once online procedures, executed repeatedly Offline Online Registration Identification Who are you? Credentials issuance Authentication Is it really you? Authorization Access Control Are you authorized to access this resource? 10 10
10 Access control conceptual diagram WS-Security terminology and architecture ( System owner domain credentials 2 Subject registration 1 authorization 3 PAP IdP System owner policy 6 request PDP 5 4 decision request access request System resource access 7 PEP User authentication S + + object & access type S PAP: Policy Administration Point PEP: Policy Enforcement Point Offline PDP: Policy Decision Point IdP: Identity Provider Online 11 11
11 Who s identity? User s Ids and credentials Issued by: SPs & IdP Managed by users & SPs Application layer authentication Traditional identity management SP s Ids and credentials Issued by DNS registrars & CAs Managed by users & SPs Transport layer authentication Not traditionally part of identity management 12 12
12 Four types of identity management (1) Mgmt of user IDs and credentials on SP side (3) Mgmt of SP IDs and credentials on SP side (2) Mgmt of user IDs and credentials on user side (4) Mgmt of SP IDs and credentials on user side Only type 1 is traditionally considered part of IAM Types 2,3,4 are equally important for security 13 13
13 Zooko s Triangle of Id Properties Global No names land Unique Petnames Memorable No identifier can be at the same time global, unique and memorable 14 14
14 Application of Zooko s triangle Desirable properties of a name: Global: can be used in the whole world Unique: only one entity has this identifier in a domain Memorable: passing-bus test Names can only have 2 of these properties. Example: Pépés Pizza Global & Unique: Pointer e.g. URL: Not easy to remember Global & Memorable: Nickname e.g. Pépés Pizza. There are proably multiple restaurants in the world called Pépés Pizza. Unique & Memorable: Petname e.g.: Pépés stored in my personal address book
15 Passing bus test for memorability P é p é s P i z z a If you see a name written on a passing bus, and you can remember the name after 5 minutes, then the name is memorable 16 16
16 Name spaces of unique names Local name spaces Staff number Within company Social security number Within state/country Bank account number Within state/country Bank box number Within branch office Global name spaces Domain names IP addresses Telephone numbers addresses ISBN X.500 Directory URI and URL XRI DOI GUID 17 17
17 Identity Domains An identity domain is a network realm with a name space of unique names Management structures: Single authority, e.g. User Ids in company network Hierarchical: e.g. DNS (Domain Name System) A single policy is normally applied in a domain Integration/federation of domains Requires mapping of identities of same entity Requires alignment of policies Domain A Mapping Domain B 19 19
18 Silo domain model Legend: SP SP/IdP 1 SP/IdP 2 SP/IdP 3 IdP Identity domain # User name managed by IdP # # User credential managed by IdP # Service logon Service provision 20 20
19 Silo user-identity domains SP = IdP: defines name space and provides access credentials Unique name assigned to each entity Advantages Simple to deploy, low cost for SPs Disadvantages Identity overload for users, poor usability 21 21
20 Imagine you re a service provider Nice and simple 22 22
21 Imagine you re a customer It s a nightmare 23 23
22 Tragedy of the Commons fred 2008Oct9 TopSecret GuessMeNot 123abc Secret abc123 FacePass Password = Cow Brain = Green 24 24
23 Push towards Single Sign-On Users don t want more digital identities Low acceptance of new services that require separate user authentication Silo model requires users to provide same information to many service providers Silo model makes it difficult to offer bundled services, i.e. from different service providers Service providers want better quality user information 25 25
24 Kerberos simplified protocol Key Distribution Center Ticket Granting Server Kerberos Database 3 Authentication Server Server Server Server Servers Workstation Request service Authentication Look-up user Request ticket Ticket Service access with ticket 27 27
25 Kerberos Advantages and limitations First practical SSO solution Centralized TTP (Trusted Third Party) model Uses only symmetric cryptography Requires Kerberos clients and servers + KDC Only suitable for organisations under common management (single domain) Does not scale to very large domains Not suitable for open environments (Internet) 28 28
26 Traditional Single Sign-On (SSO) Model Legend: SP SP 2 IdP SP Centralised user-idp # # Identity domain User name issued by IdP # Security assertion sent by IdP # # User credential managed by IdP # Examples: Kerberos, Service logon Service provision 29 29
27 Traditional SSO Single authority/infrastructure that acts as identity and credentials provider Single authority authenticates users on behalf of all SPs Advantages Well suited for SPs under single management, e.g. within large private and government organisations Good usability Disadvantages Politically difficult to implement in open environments. Who trusts authentication by other organisations? 30 30
28 Federated SSO model Legend : Federation Domain / Circle of Trust SP IdP Identity domain # User name issued by IdP # SP/IdP 1 2 SP/IdP 2 3 SP/IdP 3 # User credential managed by IdP # Examples: Liberty Alliance, SAML2.0, WS-Federation, Shibboleth 3 3 SSO to other domains # Security assertion sent by IdP # Service logon Service provision Identity mapping 31 31
29 Federated SSO Identity Federation A set of agreements, standards and technologies that enable a group of SPs to recognise user identities and entitlements from other SPs Identity (and credential) provision as for the silo model Mapping between a user s different identities Authentication by one SP, communicated as security assertions to other SPs Provides SSO in open environments 32 32
30 Standards for Federated SSO What are the Standards? SAML (OASIS) Liberty ID-FF (Liberty Alliance), merged with SAML2.0 WS-Federation (IBM, Microsoft) Standards based solutions make life easier Multi-vendor interoperability Reduced technology lock-in Benefit from the experience of others 34 34
31 Profiles for Id Federation Front Channel Back Channel SP IdP SP IdP Security assertion sent from IdP via client to service provider Security assertion sent directly from IdP to service provider 35 35
32 Open SSO identity model Legend : SP Distributed user-idp 2 SP 1 Distributed user-idp 3 IdP Common identity domain # # User name managed by IdP # User credential managed by IdP # # Security assertion issued by IdP # Service logon Example: OpenID Service provision 36 36
33 Open SSO identity model Single common identifier name space E.g. based on URIs or XRis Distributed assignment of names Each IdP controls its own domain name Registers users under domain name Whoever controls a domain name can be IdP IdPs are involved for every service access Collect info about service access 37 37
34 OpenID self registration fred bad password 38 38
35 OpenID SSO Service Access 39 39
36 OpenID First Time Sevice Access 40 40
37 OpenID Characteristics Self registration ID Providers are not authorities You can be your own ID Provider and Server Only supports AAL-1 Not suitable for sensitive services Targets online services with AAL-1 Open to multiple forms of abuse Phishing 41 41
38 OpenID Phishing Legend : SP Distributed user-idp 2 SP 1 Attacker IdP Phishing attacker 2 Common identity domain # User name managed by IdP # 2 # User credential managed by IdP # Phishing attack with OpenID # Security assertion issued by IdP # Service logon Service provision 42 42
39 OpenID Business Model For ID Providers Collection of market data Knows who uses which service Fragmentation of ID Provider market is a threat For Service Providers (Relying Party) Potentially more traffic and business For users Avoid multiple identities Avoids typing passwords (Must still type OpenID name) 43 43
40 Microsoft s InfoCard model Legend : SP IdP SP 1 SP 2 InfoCard user-idp 3 # Identity domain User name managed by IdP # SSO to other domains # # User credential managed by IdP # Security assertion issued by IdP # Service logon Card Selector Service provision 44 44
41 Global user identity domain. IdP 4 Legend : Common Identity domain IdP SP 1 SP 2 SP 3 User entity User name (X.509 Cert.) issued/registered by IdP # Authentication credential Issued by IdP # Service provider entity Example: PKI with user certificates Service access Service provision 46 46
42 Global user identity domain IdPs define/register names and issue/record credentials All SPs recognise and authenticate the same user by the same name Advantages Simple to manage for users and for SPs Disadvantages Politically difficult to define name space SPs don t trust names/credentials issued by third party Utopic solution 47 47
43 A closer look at SSO Single manual authentication Repeated automated authentications SSO is simply automated authentication Where to put the automation? On server, network and client side: Traditional SSO Kerberos, InfoCard On server and network side: Federated SSO On client side only: Local user-centric SSO 48 48
44 SSO technology location Client side Network Server side Kerberos: Federated models: Information card: Local user-centric: 49 49
45 User-centric identity manageent Buzzword with positive connotation Possible interpretations: 1. Any architecture that improves the user experience 2. Giving users control of their identities 3. Giving users control of privacy 4. Identity management technology located on the user/client side: Local user-centric identity management 50 50
46 Client-side location for local user-centric identity management Workstation e.g. SW based password wallet Mobile phone e.g SW/SIM based password wallet offpad e.g. display smartcard, ipod or other offline device 52 52
47 Local user-centric model Legend: SP SP/IdP 1 SP/IdP 2 SP/IdP 3 IdP # Identity domain User name managed by IdP # PAD Repository of authentication tokens and Ids. # User credential managed by IdP # Service logon Service provision Personal Authentication Device 53 53
48 Local user-centric: Imagine you re a customer It s a dream 54 54
49 Advantages Improved usability Local user-centric SSO Compatible with silo identity domains Low trust requirements Strong privacy protection Disadvantages Does not allows SPs to control service bundling Does not allow SPs to collect user information Requires user-side software or hardware Requires user education 55 55
50 SSO model suitability Federated SSO, well suited for Large organisations Government organisations Closely associated organisations Related Web service providers Local user-centric SSO, well suited for Open networks e-commerce Unrelated Web services 56 56
51 Combining federated and user centric identity management Federation domain 1 Federation domain 2 Federation domain 3 Personal Id domain 58 58
52 Federation technology resources Shibboleth Open source software Liberty Alliance Industry consortium Provides specifications and white papers SAML 2.0 OASIS XML format standards for exchanging authentication info WS-Federation IBM, Microsoft et al. Specification based on the WS-Security roadmap (OASIS standards)
53 Id Federation Standards Evolution Liberty phase 1 Liberty 1.1 & 1.2 Liberty Federation SAML 1.0 SAML 1.1 SAML 2.0 Shibboleth 2000 Shibboleth 1.2 Shibboleth 2.0 Microsoft Passport 1999 Microsoft Passport Microsoft Live Id Card Space Information Card 2009 OpenID 1.0 OpenID 2.0 WS Federation MS / IBM WS Federation 60 60
54 Service Provider Identity Authentication? Cert TLS SP authentication User Client Internet Service Provider Server Authentication of business and government websites Mostly ignored in identity management discussions PKI is not enough Extremely important!!! 61 61
55 SP identity management Traditionally not considered as part of identity management No clear unique SP name Currently a major problem Phishing attacks Virus, Trojan attacks GUI attacks Security fails despite strong crypto. Poor usability Poor platform security Identity federation and SSO no solution to SP identity management problems
56 SP identity management Common domain model Domain Name Registrar / IdP 4 CA 5 Legend: SP Identity domain # Domain name issued by IdP # User 1 User 2 User 3 SP entity Domain name registrar / IdP Certificate Authority # X.509 Certificate issued by CA # Service access Example: Browser PKI SP authentication 63 63
57 Common SP identity domain Global name space for SP names: URIs Multiple authorities acting as IdP and credentials provider All users/clients authenticate the same SP by the same name and credential Advantages Simple model (PKI in practice), technology exists Good usability possible when well implemented Disadvantages Hard to implement well 64 64
58 Meaningless authentication with TLS View padlock 4 Display padlock Login Page Victim Client 1 Spam phishing Service request to fake bank2 3 5 TLS setup TLS Cert A 4 Connection Fake login page Hijacked login 6 A Attacker Server ---- Fake Bank
59 The great server certificate swindle SSL designed to provide: Confidentiality, possible with RSA or Diffie-Hellman Authentication, possible with RSA only RSA requires certifcitates, Diffie-Hellman not In practice, SSL does not provide authentication Only confidentiality RSA not needed Conclusion: Certificates worthless for SSL Only valuable for marketing to stimulate (false) trust 66 66
60 A phishing example Hawaii Federal Credit Union Genuine bank login RS/Common/Login/NettLogin.asp Fake bank login
61 Certificate comparison 1 Genuine certificate Fake certificate 68 68
62 Certificate comparison 2 Genuine certificate Fake certificate 69 69
63 Certificate comparison 3 Genuine certificate Fake certificate 70 70
64 Petnames in server authentication Domain Name Registrar / IdP 4 CA Legend : # # Identity domain Domain name issued by IdP # Petname defined by user # PDA / mobile User / IdP 1 User / IdP 2 User / IdP # SP entity Domain name registrar / IdP CA X.509 Certificate issued by CA # Service access SP authentication Identifier mapping 71 71
65 Local user-centric SP identity domains Users create petname for each SP Petnames can be names, graphics or sound Petnames are mapped to global unique names Advantages Improved usability Disadvantages Requires additional technology for managing SP identities, e.g Mozilla TrustBar 72 72
66 Local user-centric server authentication 2 User HTML B Client 5 3 Cert B 1 6 Access SSL setup Login page Login Cert B 4 2 HTML B B Server Bank 2 SSL 73 73
67 SP identity management Principle of Mozilla TrustBar Personalised graphical logo and/or sound as site identifier Toolbar for the Mozilla and Firefox browsers Server certificates personalised by user Personal graphics or sound played when SP certificate recognised by browser 74 74
68 Identity management security problems Poor security usability creates vulnerabilities Password fatigue leads to password re-use SSO aimed at improving usability, but System complexity Privacy threats Requires trust between many parties Malware that attacks platforms 75 75
69 IdMan with Man-in-the-Browser Trojan Attacks become more sophisticated Man-in-the-browser Trojan is malware that changes transaction data while being submitted from browser to bank. e.g. Zeus Trojan User authentication is insufficient Data/transaction authentication is necessary Requires dual channel authentication, assuming that the 2 nd channel is not compromised
70 Man-in-the-browser attack Bank Server User Client 1. Specify sender/destination accounts and amount 2. Change destination account and amount 3. Transmit wrong transaction data 4. Send money to attacker 77 77
71 5 Protecting Against Man-in-the-browser Attack 4 Mobile phone 3 Cellular Bank Server Internet 2 7 User Client 1. Specify sender/destination accounts and amount 2. Data transmission 3. SMS with authorization code, destination account and amount 4. View SMS 5. Decide if transaction data in SMS are correct 6. Copy authorization code to browser 7. Data transmission 8. Verify authorization code and execute transaction 78 78
72 Research challenges Usability of security Seamless integration of user-centric and other models Protocols Mobile integration Dual channel authentication protocols Trusted platforms Privacy Recovery from Id theft Proving that false Id profile is not you Personalisation of SP identities Name spaces Governance 79 79
73 Thank you for your attention Questions? 80 80
INF3510 Information Security University of Oslo Spring 2012. Lecture 8 Identity and Access Management. Audun Jøsang
INF3510 Information Security University of Oslo Spring 2012 Lecture 8 Identity and Access Management Audun Jøsang Outline Identity and access management concepts Identity management models Access control
More informationIdentity Management. Prof Audun Jøsang Department of Informatics University of Oslo. Finse May 2014
Identity Management Prof Audun Jøsang Department of Informatics University of Oslo Finse May 2014 The concept of identity Entities have Identities consist of Attributes Systems Persons A B C Names, Identifiers
More informationUsability and Privacy in Identity Management Architectures
Usability and Privacy in Identity Management Architectures Audun Jøsang Mohammed AlZomai Suriadi Suriadi Queensland University of Technology P.O. Box 2434, Brisbane Qld 4001, Australia Email: a.josang@qut.edu.au
More informationUsability and Privacy in Identity Management Architectures
Usability and Privacy in Identity Management Architectures Audun Jøsang Muhammed Al Zomai Suriadi Suriadi Queensland University of Technology P.O. Box 2434, Brisbane Qld 4001, Australia Email: a.josang@qut.edu.au
More informationOutline. INF3510 Information Security University of Oslo Spring 2015. Lecture 9 Identity Management and Access Control. The concept of identity
INF50 Information Security University of Oslo Spring 05 Outline Identity and access management concepts Identity management models Access control models (security models) Lecture 9 Identity Management
More informationUser Centric Identity Management
AusCERT Conference 005 User Centric Identity Management Audun Jøsang and Simon Pope CRC for Enterprise Distributed Systems Technology (DSTC Pty Ltd) The University of Queensland, 07, Australia {ajosang,
More informationSingle Sign-On: Reviewing the Field
Outline Michael Grundmann Erhard Pointl Johannes Kepler University Linz January 16, 2009 Outline 1 Why Single Sign-On? 2 3 Criteria Categorization 4 Overview shibboleth 5 Outline Why Single Sign-On? Why
More informationComputer Systems Security 2013/2014. Single Sign-On. Bruno Maia ei09095@fe.up.pt. Pedro Borges ei09063@fe.up.pt
Computer Systems Security 2013/2014 Single Sign-On Bruno Maia ei09095@fe.up.pt Pedro Borges ei09063@fe.up.pt December 13, 2013 Contents 1 Introduction 2 2 Explanation of SSO systems 2 2.1 OpenID.................................
More informationFederated Identity Architectures
Federated Identity Architectures Uciel Fragoso-Rodriguez Instituto Tecnológico Autónomo de México, México {uciel@itam.mx} Maryline Laurent-Maknavicius CNRS Samovar UMR 5157, GET Institut National des Télécommunications,
More informationINF3510 Information Security University of Oslo Spring 2016. Lecture 9 Identity Management and Access Control
INF3510 Information Security University of Oslo Spring 2016 Lecture 9 Identity Management and Access Control University of Oslo Spring 2016 Outline Identity and access management concepts Identity management
More informationFlexible Identity Federation
Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationEvaluation of different Open Source Identity management Systems
Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems
More informationOutline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts
Outline INF3510 Information Security Lecture 10: Communications Security Network security concepts Communication security Perimeter security Protocol architecture and security services Example security
More informationLecture 10: Communications Security
INF3510 Information Security Lecture 10: Communications Security Audun Jøsang University of Oslo Spring 2015 Outline Network security concepts Communication security Perimeter security Protocol architecture
More informationEnabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver
Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver SAP Product Management, SAP NetWeaver Identity Management
More informationWhy Identity Management. Identity Management. What We Cover. Role of Digital Identity. Digital Identity. Digital Identity (or network identity)
Why Identity Management Identity Management Claudiu Duma Identity crisis Privacy concerns Identity theft Terrorist threat Department of Computer and Information Science cladu@ida.liu.se What We Cover Digital
More informationNew Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation
New Single Sign-on Options for IBM Lotus Notes & Domino 2012 IBM Corporation IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole
More informationSAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011
NetWeaver Single Sign-On Product Management NetWeaver Identity Management & Security June 2011 Agenda NetWeaver Single Sign-On: Solution overview Key benefits of single sign-on Solution positioning Identity
More informationExtending DigiD to the Private Sector (DigiD-2)
TECHNISCHE UNIVERSITEIT EINDHOVEN Department of Mathematics and Computer Science MASTER S THESIS Extending DigiD to the Private Sector (DigiD-2) By Giorgi Moniava Supervisors: Eric Verheul (RU, PwC) L.A.M.
More informationInformation Security Group Active-client based identity management
Active-client based identity management Chris Mitchell Royal Holloway, University of London www.chrismitchell.net 1 Acknowledgements This is joint work with Haitham Al-Sinani, also of Royal Holloway. 2
More informationFederated Identity Management Solutions
Federated Identity Management Solutions Jyri Kallela Helsinki University of Technology jkallela@cc.hut.fi Abstract Federated identity management allows users to access multiple services based on a single
More informationInformation Security Basic Concepts
Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,
More informationCHOOSING THE BEST IDENTITY MANAGEMENT TECHNOLOGY FOR YOUR BUSINESS
CHOOSING THE BEST IDENTITY MANAGEMENT TECHNOLOGY FOR YOUR BUSINESS Ing. Radovan Semančík IT Architect nlight, s.r.o. Súľovská 34, Bratislava, Slovakia +421 2 43642084, Fax: +421 2 43642086, E-mail: semancik@nlight.sk
More informationFIDO Trust Requirements
FIDO Trust Requirements Ijlal Loutfi, Audun Jøsang University of Oslo Mathematics and Natural Sciences Faculty NordSec 2015,Stockholm, Sweden October, 20 th 2015 Working assumption: End Users Platforms
More informationInternet Single Sign-On Systems
Internet Single Sign-On Systems Radovan SEMANČÍK nlight, s.r.o. Súľovská 34, 812 05 Bratislava, Slovak Republic semancik@nlight.sk Abstract. This document describes the requirements and general principles
More informationThe Primer: Nuts and Bolts of Federated Identity Management
The Primer: Nuts and Bolts of Federated Identity Management Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities. With so
More informationFederated Identity in the Enterprise
www.css-security.com 425.216.0720 WHITE PAPER The proliferation of user accounts can lead to a lowering of the enterprise security posture as users record their account information in order to remember
More informationFederated Identity and Single-Sign On
CS 6393 Lecture 5 Federated Identity and Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 15, 2013 ravi.sandhu@utsa.edu www.profsandhu.com Ravi Sandhu 1 The Web Today User
More informationThe Primer: Nuts and Bolts of Federated Identity Management
The Primer: Nuts and Bolts of Federated Identity Management Executive Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities.
More informationEnhancing Web Application Security
Enhancing Web Application Security Using Another Authentication Factor Karen Lu and Asad Ali Gemalto, Inc. Technology & Innovations Austin, TX, USA Overview Introduction Current Statet Smart Cards Two-Factor
More informationCS 356 Lecture 28 Internet Authentication. Spring 2013
CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationSecurity Challenges. in Moving to Externalized Datacenters. (Focusing on SaaS) Eran Birk, Spring 2014. Business. Intelligence
Business Intelligence Security Challenges in Moving to Externalized Datacenters (Focusing on SaaS) Eran Birk, Spring 2014 Grid Computing Cloud Computing Compute Networks Storage Information provided in
More informationIDENTITY MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region
IDENTITY MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationFederation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015
Federation At Fermilab Al Lilianstrom National Laboratories Information Technology Summit May 2015 About Fermilab Since 1967, Fermilab has worked to answer fundamental questions and enhance our understanding
More informationLecture Notes for Advanced Web Security 2015
Lecture Notes for Advanced Web Security 2015 Part 6 Web Based Single Sign-On and Access Control Martin Hell 1 Introduction Letting users use information from one website on another website can in many
More informationAuthentication Integration
Authentication Integration VoiceThread provides multiple authentication frameworks allowing your organization to choose the optimal method to implement. This document details the various available authentication
More informationHow To Secure A Website With A Password Protected Login Process (Www.Siphone)
Preventing Spoofing, Phishing and Spamming by Secure Usability and Cryptography ICDCS 07/07/2006 Amir Herzberg Computer Science Department, Bar Ilan University http://amirherzberg.com 04/05/06 http://amirherzberg.com
More informationAn Anti-Phishing mechanism for Single Sign-On based on QR-Code
An Anti-Phishing mechanism for Single Sign-On based on QR-Code Syamantak Mukhopadhyay School of Electronics and Computer Science University of Southampton Southampton, UK sm19g10@ecs.soton.ac.uk David
More informationTrend of Federated Identity Management for Web Services
30 Trend of Federated Identity Management for Web Services Chulung Kim, Sangyong Han Abstract While Web service providers offer different approaches to implementing security, users of Web services demand
More informationThe increasing popularity of mobile devices is rapidly changing how and where we
Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to
More informationSingle Sign-On: Reviewing the Field
Single Sign-On: Reviewing the Field Michael Grundmann, Erhard Pointl Johannes Kepler University Linz Abstract. The Idea of having only one password for every service has led to the concept of single sign-on
More informationEnterprise Identity Management
Enterprise Identity Management paul.schoebi@cnlab.ch With inputs from : IAM Course; Institute for Internet Technologies and Applications, University of Applied Sciences, Rapperswil, Switzerland 1 Agenda
More informationRSA Solution Brief. Federated Identity Manager RSA. A Technical Overview. RSA Solution Brief
RSA Federated Identity Manager A Technical Overview Federated identity management extends the management of digital identities for authorization and access beyond domain and corporate boundaries to externally
More informationSAML SSO Configuration
SAML SSO Configuration Overview of Single Sign-, page 1 Benefits of Single Sign-, page 2 Overview of Setting Up SAML 2.0 Single Sign-, page 3 SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting
More informationLiberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009
CSRF Review Liberty Alliance CPSC 328 Spring 2009 Quite similar, yet different from XSS Malicious script or link involved Exploits trust XSS - exploit user s trust in the site CSRF - exploit site s trust
More informationFederated Authentication Mechanism with Efficient ID management
Federated Authentication Mechanism with Efficient ID management Ryu Watanabe and Toshiaki Tanaka KDDI R&D Laboratories, Inc. Ohara 2-1-15 Fujimino Saitama, Japan Email: ryu@kddilabs.jp, toshi@kddilabs.jp
More informationDigital Identity Management
Digital Identity Management Roohul Halim Syed Atif Shaharyar Email: {rooha433, syesh740}@student.liu.se Supervisor: Anna Vapen, {annva@ida.liu.se} Project Report for Information Security Course Linköpings
More informationOIS. CERN s Experience with Federated Single Sign-On. Operating Systems & Information Services IT-OIS. June 9-10, 2011
Operating Systems & Information Services CERN s Experience with Federated Single Sign-On Federated identity management workshop June 9-10, 2011 IT-OIS Definitions IAA: Identity, Authentication, Authorization
More informationIT@Intel. Improving Security and Productivity through Federation and Single Sign-on
White Paper Intel Information Technology Computer Manufacturing Security Improving Security and Productivity through Federation and Single Sign-on Intel IT has developed a strategy and process for providing
More informationIdentity Federation Management to make Operational and Business Efficiency through SSO
2012 International Conference on Industrial and Intelligent Information (ICIII 2012) IPCSIT vol.31 (2012) (2012) IACSIT Press, Singapore Identity Federation Management to make Operational and Business
More informationIdentity Federation Broker for Service Cloud
2010 International Conference on Sciences Identity Federation Broker for Cloud He Yuan Huang 1, Bin Wang 1, Xiao Xi Liu 1, Jing Min Xu 1 1 IBM Research China {huanghey, wangbcrl, liuxx, xujingm}@cn.ibm.com
More informationLocal user-centric identity management
Jøsang et al. Journal of Trust Management (2015) 2:1 DOI 10.1186/s40493-014-0009-6 RESEARCH Open Access Local user-centric identity management Audun Jøsang 1*, Christophe Rosenberger 2, Laurent Miralabé
More informationSingle Sign On. SSO & ID Management for Web and Mobile Applications
Single Sign On and ID Management Single Sign On SSO & ID Management for Web and Mobile Applications Presenter: Manish Harsh Program Manager for Developer Marketing Platforms of NVIDIA (Visual Computing
More informationQR-SSO : Towards a QR-Code based Single Sign-On system
QR-SSO : Towards a QR-Code based Single Sign-On system Syamantak Mukhopadhyay School of Electronics and Computer Science University of Southampton Southampton, UK sm19g10@ecs.soton.ac.uk David Argles School
More informationIDENTITY INFORMATION MANAGMENT ARCHITECTURE SUMMARY Architecture and Standards Branch Office of the CIO Province of BC People Collaboration Innovation
IDENTITY INFORMATION MANAGMENT ARCHITECTURE SUMMARY Architecture and Standards Branch Author: Creation Date: Last Updated: Version: I. Bailey May 28, 2008 March 23, 2009 0.7 Reviewed By Name Organization
More information> Please fill your survey to be eligible for a prize draw. Only contact info is required for prize draw Survey portion is optional
Web Access Management May 2008 CA Canada Seminar > Please fill your survey to be eligible for a prize draw Only contact info is required for prize draw Survey portion is optional > How to Transform Tactical
More informationMasdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department jmikhael@masdar.ac.ae
Masdar Institute Single Sign-On: Standards-based Identity Federation John Mikhael ICT Department jmikhael@masdar.ac.ae Agenda The case for Single Sign-On (SSO) Types of SSO Standards-based Identity Federation
More informationIdentity Management im Liberty Alliance Project
Rheinisch-Westfälische Technische Hochschule Aachen Lehrstuhl für Informatik IV Prof. Dr. rer. nat. Otto Spaniol Identity Management im Liberty Alliance Project Seminar: Datenkommunikation und verteilte
More informationWeb Services and Federated Identity Management
Web Services and Federated Identity Management Birgit Pfitzmann, bpf@zurich.ibm.com with Thomas Gross, Ahmad Sadeghi DIMACS, May 6, 2005 www.zurich.ibm.com What s New about Federated Identity Management?
More informationTrust Requirements in Identity Management
Trust Requirements in Identity Management Audun Jøsang, John Fabre 2, Brian Hay 2, James Dalziel, Simon Pope Distributed Systems Technology Centre {ajosang, simon.pope}@dstc.edu.au 2 Telstra Research Laboratories
More informationMobile Security. Policies, Standards, Frameworks, Guidelines
Mobile Security Policies, Standards, Frameworks, Guidelines Guidelines for Managing and Securing Mobile Devices in the Enterprise (SP 800-124 Rev. 1) http://csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pdf
More informationLeverage Active Directory with Kerberos to Eliminate HTTP Password
Leverage Active Directory with Kerberos to Eliminate HTTP Password PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website: www.pistolstar.com
More informationIntroduction to SAML
Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments
More informationArchitecture Guidelines Application Security
Executive Summary These guidelines describe best practice for application security for 2 or 3 tier web-based applications. It covers the use of common security mechanisms including Authentication, Authorisation
More informationLeveraging SAML for Federated Single Sign-on:
Leveraging SAML for Federated Single Sign-on: Seamless Integration with Web-based Applications whether cloudbased, private, on-premise, or behind a firewall Single Sign-on Layer v.3.2-006 PistolStar, Inc.
More informationOn A-Select and Federated Identity Management Systems
On A-Select and Federated Identity Management Systems Joost Reede August 4, 2007 Master s Thesis Information Systems Chair Computer Science Department University of Twente ii This thesis is supervised
More informationIMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS
APPLICATION NOTE IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS SAML 2.0 combines encryption and digital signature verification across resources for a more
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication Objectives Define authentication Describe the different types of authentication credentials List and explain the
More informationNIST s Guide to Secure Web Services
NIST s Guide to Secure Web Services Presented by Gaspar Modelo-Howard and Ratsameetip Wita Secure and Dependable Web Services National Institute of Standards and Technology. Special Publication 800-95:
More informationDigital Identity and Identity Management Technologies.
I. Agudo, Digital Identity and Identity Management Technologies, UPGRADE - The European Journal of the Informatics Professional, vol. 2010, pp. 6-12, 2010. NICS Lab. Publications: https://www.nics.uma.es/publications
More informationAn Identity Management Survey. on Cloud Computing
Int. Journal of Computing and Optimization, Vol. 1, 2014, no. 2, 63-71 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ijco.2014.458 An Identity Management Survey on Cloud Computing Ardi BENUSI
More informationThe Role of Federation in Identity Management
The Role of Federation in Identity Management August 19, 2008 Andrew Latham Solutions Architect Identity Management 1 The Role of Federation in Identity Management Agenda Federation Backgrounder Federation
More informationSAP Single Sign-On 2.0 Overview Presentation
SAP Single Sign-On 2.0 Overview Presentation March 2016 Public Agenda SAP security portfolio Overview SAP Single Sign-On Single sign-on main scenarios Capabilities Summary 2016 SAP SE or an SAP affiliate
More informationHOBCOM and HOBLink J-Term
HOB GmbH & Co. KG Schwadermühlstr. 3 90556 Cadolzburg Germany Tel: +49 09103 / 715-0 Fax: +49 09103 / 715-271 E-Mail: support@hobsoft.com Internet: www.hobsoft.com HOBCOM and HOBLink J-Term Single Sign-On
More informationSCUR203 Why Do We Need Security Standards?
SCUR203 Why Do We Need Security Standards? Cristina Buchholz Product Security, SAP Learning Objectives As a result of this workshop, you will be able to: Recognize the need for standardization Understand
More informationDesigning federated identity management architectures for addressing the recent attacks against online financial transactions.
Designing federated identity management architectures for addressing the recent attacks against online financial transactions. Dr. Christos K. Dimitriadis Security Officer INTRALOT S.A. Scope and Agenda
More informationAuthentication Methods
Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the
More informationThis Working Paper provides an introduction to the web services security standards.
International Civil Aviation Organization ATNICG WG/8-WP/12 AERONAUTICAL TELECOMMUNICATION NETWORK IMPLEMENTATION COORDINATION GROUP EIGHTH WORKING GROUP MEETING (ATNICG WG/8) Christchurch New Zealand
More informationStandards for Identity & Authentication. Catherine J. Tilton 17 September 2014
Standards for Identity & Authentication Catherine J. Tilton 17 September 2014 Purpose of these standards Wide deployment of authentication technologies that may be used in a global context is heavily dependent
More informationScalable Authentication
Scalable Authentication Rolf Lindemann Nok Nok Labs, Inc. Session ID: ARCH R07 Session Classification: Intermediate IT Has Scaled Technological capabilities: (1971 2013) Clock speed x4700 #transistors
More informationWebLogic Server 7.0 Single Sign-On: An Overview
WebLogic Server 7.0 Single Sign-On: An Overview Today, a growing number of applications are being made available over the Web. These applications are typically comprised of different components, each of
More informationPassword Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos
Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website:
More informationEXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES
pingidentity.com EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES Best practices for identity federation in AWS Table of Contents Executive Overview 3 Introduction: Identity and Access Management in Amazon
More informationmanaging SSO with shared credentials
managing SSO with shared credentials Introduction to Single Sign On (SSO) All organizations, small and big alike, today have a bunch of applications that must be accessed by different employees throughout
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationAPI-Security Gateway Dirk Krafzig
API-Security Gateway Dirk Krafzig Intro Digital transformation accelerates application integration needs Dramatically increasing number of integration points Speed Security Industrial robustness Increasing
More informationIdentity opens the participation age. Dr. Rainer Eschrich. Program Manager Identity Management Sun Microsystems GmbH
Identity opens the participation age Open Web Single Sign- On und föderierte SSO Dr. Rainer Eschrich Program Manager Identity Management Sun Microsystems GmbH Agenda The Identity is the Network Driving
More informationThe Identity Metasystem: A User-Centric, Inclusive Web Authentication Solution
The Identity Metasystem: A User-Centric, Inclusive Web Authentication Solution Position paper for the W3C Workshop on Transparency and Usability of Web Authentication New York City, March 2006 Michael
More informationSecure Identity in Cloud Computing
Secure Identity in Cloud Computing Michelle Carter The Aerospace Corporation March 20, 2013 The Aerospace Corporation 2013 All trademarks, service marks, and trade names are the property of their respective
More informationSingle Sign-On for the Internet: A Security Story. Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com
Single Sign-On for the Internet: A Security Story Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com BlackHat USA, Las Vegas 2007 Introduction With the explosion of Web 2.0 technology,
More informationSEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public
SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On Public Speakers Las Vegas, Oct 19-23 Christian Cohrs, Area Product Owner Barcelona, Nov 10-12 Regine Schimmer, Product Management
More informationPROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN
PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN CONNECTING TO THE CLOUD DAVID CHAPPELL DECEMBER 2009 SPONSORED BY AMAZON AND MICROSOFT CORPORATION CONTENTS The Challenge:
More informationContents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008
Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication
More informationFlexible Identity Federation
Flexible Identity Federation Administration guide version 1.0.1 Publication history Date Description Revision 2015.09.24 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationBringing Cloud Security Down to Earth. Andreas M Antonopoulos Senior Vice President & Founding Partner www.nemertes.com
Bringing Cloud Security Down to Earth Andreas M Antonopoulos Senior Vice President & Founding Partner www.nemertes.com Agenda About Nemertes Cloud Dynamics and Adoption Assessing Risk of Cloud Services
More informationSingle Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1
Overview, page 1 Using SSO with the Cisco WebEx and Cisco WebEx Meeting Applications, page 1 Requirements, page 2 Configuration of in Cisco WebEx Messenger Administration Tool, page 3 Sample Installation
More informationAgenda. How to configure
dlaw@esri.com Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services
More informationSecuring Enterprise: Employability and HR
1 Securing Enterprise: Employability and HR Federation and XACML as Security and Access Control Layer Open Standards Forum 2 Employability and HR Vertical Multiple Players - Excellent case for federation
More informationFederated Identity and Trust Management
Redpaper Axel Buecker Paul Ashley Neil Readshaw Federated Identity and Trust Management Introduction The cost of managing the life cycle of user identities is very high. Most organizations have to manage
More information... Chair of Mobile Business & Multilateral Security. Privacy vs. Data: Business Models in the digital, mobile Economy
Privacy vs. Data: Business Models in the digital, mobile Economy Lecture 11 (Mobile) Identity Management SS 2015 Dr. Andreas Albers Chair of Mobile Business & Multilateral Security The Identity Concept
More information