Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Transcription

1 Identity Federation: Bridging the Identity Gap Michael Koyfman, Senior Global Security Solutions Architect

2 The Need for Federation 5 key patterns that drive Federation evolution - Mary E. Ruddy, Gartner The movement of applications out of the enterprise domain The movement of user populations out of the enterprise domain The movement of devices out of the enterprise domain The movement of IAM out of the enterprise domain The movement of the enterprise domain itself F5 Agility

3 Federated Identity What is it? Companies outsource applications and infrastructure at very rapid pace Having each application enforce the authority over user s identity is cumbersome There is no cross-application password synchronization mechanism User s can t easily manage coterminous password expiration across various applications Not all applications can support the same userid format as being primarily used Companies need to provide access to customers and partners without increased headaches of manually managing user accounts and password resets F5 Agility

4 Federated Identity How does it help? Controls identity and access within the enterprise Flexibility to use cloud applications and infrastructure Creates a trust between two entities with industry standards Allows B2B authentication with cloud and SaaS providers Instant termination of authentication upon employee departure No need to duplicate directory everywhere F5 Agility

5 SAML Post vs. Artifact POST binding The user s browser will be in between all communications of the SP and IdP. The user browser acts as an intermediary for the transmission of all messages Disadvantages: All communications are going through the user s browser, so the messages could be intercepted by malicious code on the user s PC. Advantages: Simpler than Artifact binding Artifact binding Partial direct connection between the IDP and the SP. That connection will be leveraged during the <artifactresolve> <artifactresponse> phases, hence avoiding the security risk induced by a middle connection Disadvantages: Requires direct connection between IDP and SP, could lead to firewall/resolution/routing issues to be solved. The communication flow is longer and more complex. Advantages: Communications are considered more secure Does not require direct network connection between IDP and SP F5 Agility

6 OAuth 2.0 Open standard for Authorization OAuth is often described as a valet key for the web Proposed Standard RFC 6749 Key Driver Twitter, Facebook OAuth 2.0 is not compatible with 1.0 OAuth is often described as a valet key for the web F5 Agility

7 SAML 2.0 Using Assertions to Authenticate SAML Assertion is a Token/Cookie used to Auth users (Simplified) Signing the Assertion Encrypting the Assertion (Identity Provider) The device that authenticates the user The device that creates, signs, encrypts and inserts the Assertion The device that redirects the user to the target application with the Assertion SAML SP (Service Provider) The device that redirects the user request to the IdP for authentication The device that consumes the Assertion and validates it The device that redirects the authenticated user to the application 7 F5 Agility

8 SAML Design (Public SP Application) Academic Environment Internet User makes a SAML Supported request for a resource University App DMZ SAML SP Private/Public Cloud Research App F5 Agility

9 SAML Design (Public SP Application) Academic Environment Service provider(sp) application performs IdP Discovery to find out how to authenticate the user University App DMZ SAML SP Private/Public Cloud Research App F5 Agility

10 SAML Design (Public SP Application) APM Detects User s IdP and redirects user to their specific IdP using SP Initiated Post (or Redirect) University App DMZ SAML SP Private/Public Cloud Research App F5 Agility

11 SAML Design (Public SP Application) Internet User makes a SAML Supported request for a resource including the SAML Assertion University App DMZ SAML SP Private/Public Cloud Research App F5 Agility

12 SAML Design (Public SP Application) APM validates the assertion and sends request to Application APM also has the ability to perform LDAP/AD Query for further validation and to set appropriate ACL s based on variables such as: Domain User Device Type Origin Network - Etc University App DMZ SAML SP Private/Public Cloud LDAP Research App F5 Agility

13 Question - How will we detect users IdP - Host - URI - - Other - Anything that is constant and predictable can be used for IdP Discovery F5 Agility

14 IDP Discovery Demo

15 SAML Authenticating to the App without User/Pass SAML Assertion replaces the requirement for Password APM SSO to the Application will be Kerberos (KCD) or Custom Auth via Headers or something similar OWA.customer.com You must understand how the Application identifies the user and creates a session Any mechanism requiring a password will not work NTLM Basic Forms Post Unless the IDP passes original user s password as a parameter and it is valid in context of authenticating to the application then NTLM/Basic/Forms can be used Sharepoint.customer.com Internal Application F5 Agility

16 Exchange Hybrid Federation Scenario User with mailbox on premises login.f5se.com Customer DataCenter User ActiveDirectory CAS Array Azure Cloud 1. User goes to 2. Exchange SP Virtual send them to IDP login.f5se.com with SAML AuthN request 3. User enters their credentials and authenticates to login service 4. Login responds with SAML Assertion that contains username and password, it gets sent to OWA SP, 5. Exchange SP Policy checks if user is on-premises and forwards to CAS mail.f5se.com F5 Agility

17 Exchange Hybrid Federation Scenario User with mailbox hosted in Office 365 login.f5se.com Customer DataCenter User ActiveDirectory mail.f5se.com CAS Array 1. User goes to 2. Exchange SP Virtual send them to IDP login.f5se.com with SAML AuthN request 3. User enters their credentials and Azure Cloud authenticates to login service 6. Office 365 sends authentication request to 4. Login responds with SAML Assertion that login.f5se.com contains username and password, it gets 7. Login.f5se.com IDP responds with SAML sent to assertion(user has already authenticated to 5. Exchange SP Policy determines user is it in step 3) and user is signed on to OWA hosted in Office 365 and redirects them to in the Office 365 F5 Agility

18 SAML- Federating APM s Authentication to the App (With and Without Password) Data Center 1 Client successfully logs on to an Internal Application where the APM VIP Requires SAML Authentication Login.customer.com Users Portal.customer.com Private/Public Cloud OWA.customer.com Sharepoint.customer.com Internal Application F5 Agility

19 SAML- Federating APM s Authentication to the App (With and Without Password) Data Center 1 The BIG-IP VIP should be configured to redirect to the Corporate Login.customer.com Users Portal.customer.com Private/Public Cloud OWA.customer.com Sharepoint.customer.com Internal Application F5 Agility

20 SAML- Federating APM s Authentication to the App (With and Without Password) An SP Initiated Post is sent back to the client in the form of a redirect to the IdP ( Data Center 1 Login.customer.com Client is presented with a Username/Password Form from the IdP (Including 2 factor based on policy) Users Portal.customer.com Private/Public Cloud OWA.customer.com Sharepoint.customer.com Internal Application F5 Agility

21 SAML- Federating APM s Authentication to the App (With and Without Password) The APM Policy is run to Authenticate the user against their user store Data Center 1 Login.customer.com The user browser is presented with a SAML Assertion Users Portal.customer.com Private/Public Cloud OWA.customer.com Sharepoint.customer.com Internal Application F5 Agility

22 SAML- Federating APM s Authentication to the App (With and Without Password) Data Center 1 Client is redirected to the VIP and APM successfully logs the user on to an Internal Application Login.customer.com Users Portal.customer.com Private/Public Cloud OWA.customer.com Sharepoint.customer.com Internal Application F5 Agility

23 SAML- Federating APM s Authenticationg to the App (With and Without Password) Let s look at how the Applications create Session: OWA authenticates Users via Kerberos so no Password is required Sharepoint uses NTLM. F5 APM as an IdP can be configured to insert session.logon.last.password into the Assertion as a SAML Variable. The APM functioning as SP can use this when creating the Session for the user The Internal Application authenticates the user via HTTP Header and trusts the BIG-IP The variable ${session.logon.last.password} is not required to be inserted by the IdP for use at the SP F5 Agility

24 Demo Authenticating to Sharepoint using SAML on the front and NTLM to the server

25 SAML SLO Single LogOut Initiated from APM As SP: Final Logout 9 Post is done to logout URL in IdP connector As IdP: 8 5 Logout RSP SP2 Logout RSP1 Logout RQ SP2 6 IDP Post is done to logout URL in SP connectors Users 1 Logout URL Done whenever my.logout.php3 URL is encountered Logout SP1 2 Initiated from Elsewhere APM as SP: 3 Logout RQ1 Logout RSP1 4 SP1 We kill the session, and do a POST to response URL in IdP connector As IdP: We kill the session, and do a POST to response URL in SP connector 6 Logout RQ SP2 Logout RQ SP2 7 SP2 F5 Agility

26 Putting it all together

27 SAML Lab Overall Use Cases Users Login.customer.com Active Directory Portal.customer.com Data Center 2 Private/Public Cloud OWA.customer.com SaaS - PaaS Business Partners Sharepoint.customer.com ADFS Internal Application F5 Agility

28