Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

Transcription

1 Masdar Institute Single Sign-On: Standards-based Identity Federation John Mikhael ICT Department

2 Agenda The case for Single Sign-On (SSO) Types of SSO Standards-based Identity Federation Masdar Institute SSO Platform implementation The way forward: Establishing Ankabut Identity Federation

3 Why SSO?

4 What does SSO provide? Central management of user accounts, reducing the cost and time required for user provisioning. Reducing support costs due to lower number of help desk calls about passwords. Eliminates the inconvenience of re-prompting users, leading to improved user experience. Termination of access for corporate accounts results in immediate revocation of access to applications.

5 What does SSO provide? Strengthens security and reduces the risk of a breach by providing a single centralized authentication point for applying stronger policies. Provides fine-grained security reporting and auditing by centrally tracking user access to information.

6 Types of SSO Password Synchronization Very primitive, only helps with password management Enterprise SSO Each application still authenticates but behind the scenes, password expiry needs to be handled on application by application Web Access Management Token-based protocol, suitable for intranet uses only Standards-based Identity Federation

7 Standards-based Identity Federation OASIS standards SAML (Security Assertion Markup Language) WS-Federation Other standards OAuth OpenID

8 SAML Most widely adopted standard for identity federation. Many public and private sector entities in Canada, China, Germany, Netherlands, UK, USA, An open standard backed by a global consortium. Support by all major vendors/providers. Google, IBM, Microsoft, Novell, Oracle, RSA, SAP, Applies the best PKI standards for the exchange of identity information. SAML tokens contain user attributes, simplifies implementing authorization rules.

9 Basic Authentication Scenario

10 What is required to implement a SAML-based federation? A SAML IdP linked to your existing LDAP. For applications that are SAML-aware, a simple configuration to establish trust to your SAML IdP. For applications that are not SAML-aware: Most vendors provide plug-ins to add SAML support. For in-house development, there are available frameworks that can add SAML support (e.g. OpenSAML, SimpleSAMLphp, WIF). Deploy a SAML Assertion Consumer Service (e.g. Shibboleth SP).

11 Platform Implementation: Shibboleth IdP Developed under the Internet2 Middleware Initiative. The most widely deployed federated identity solution in the education domain. Over 4 million students, staff, and faculty. An open source Java web application. Zero cost, has minimal hardware and software requirements. Easy to deploy and configure (requires some knowledge of web app administration basics).

12 Platform Implementation: Shibboleth IdP Can link to any standard LDAP repository. Also supports fetching user attributes from relational databases. A Kerberos login handler is available that can automatically authenticate the user if logged on to a Windows domain. Admin can define policies to control what data is released to which Service Provider. Only limitation: No support for WS-Federation standard (required by Sharepoint, Exchange OWA)

13 Platform Implementation: Demo Demo

14 The way forward: Ankabut Identity Federation A federation is a collection of organizations that have agreed to interoperate using a common set of rules. Using SAML means no extra effort is required to interconnect the different universities, apart from establishing trust.

15 Ankabut Identity Federation The objective is to simplify inter-organizational access to learning resources. With a single login a student can access the different services offered by the federation members. Without a federation With a federation

16 Ankabut Identity Federation: Benefits Facilitates sharing of content and collaboration across organizations. Users identify themselves locally with their home institution, then pass only relevant and necessary attributes to the resource. An access control decision is made by the Resource based on the retrieved information about the user. Reduces the need for per-service account provisioning, without compromising the service security.

17 Example Federations AAF (Australia) CARSI (China) DFN-AAI (Germany) Canadian Access Federation (Canada) GakuNin (Japan) RENATER (France) RedIRIS (Spain) SURFfederatie (Netherlands) SWITCHaai (Switzerland) UK Access Management Federation (UK) InCommon (USA)

18 Ankabut Identity Federation: Eankabut PoC Implemented a PoC using one test IdP (Eankabut), one IdP at Masdar Institute, two SP s (Moodle, ASP.NET app), one WAYF service. You can access the PoC website at We will provide test credentials for anyone interested to try the service Contact: jmikhael@masdar.ac.ae

19 Ankabut Identity Federation: Demo Demo

20 Thank You!