Biometric Single Sign-on using SAML Architecture & Design Strategies



Similar documents
Biometric Single Sign-on using SAML

Security Assertion Markup Language (SAML)

Biometric SSO Authentication Using Java Enterprise System

Security Assertion Markup Language (SAML) 2.0 Technical Overview

Interoperable Provisioning in a Distributed World

Open Source Identity Integration with OpenSSO

Stronger Authentication with Biometric SSO

Web Access Management and Single Sign-On

Securing Web Services With SAML

Security Assertion Markup Language (SAML) V2.0 Technical Overview

Single Sign-On Implementation Guide

Single Sign-On Implementation Guide

Single Sign-On Implementation Guide

SAML Security Option White Paper

IAM Application Integration Guide

SAML and XACML Overview. Prepared by Abbie Barbir, Nortel Canada April 25, 2006

FEDERATED IDENTITY MANAGEMENT:

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Web Single Sign-On Authentication using SAML

VETUMA SAML SAMPLE MESSAGES

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

Contents at a Glance. 1 Introduction Basic Principles of IT Security Authentication and Authorization in

TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management

SAML Security Analysis. Huang Zheng Xiong Jiaxi Ren Sijun

SAML:The Cross-Domain SSO Use Case

Single Sign on Using SAML

MLSListings Single Sign On Implementation Guide. Compatible with MLSListings Applications

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

Secure Identity in Cloud Computing

Evaluation of different Open Source Identity management Systems

An Oracle White Paper Dec Oracle Access Management Security Token Service

MONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY. ASR 2006/2007 Final Project. Supervisers: Maryline Maknavicius-Laurent, Guy Bernard

National Identity Exchange Federation. Web Browser User-to-System Profile. Version 1.0

WebLogic Server 7.0 Single Sign-On: An Overview

OSOR.eu eid/pki/esignature Community Workshop in Brussels, 13. November 2008 IT Architect Søren Peter Nielsen - spn@itst.dk

Federal Identity, Credential, and Access Management Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile

Federated Identity in the Enterprise

Federated Identity Management Solutions

Security solutions Executive brief. Understand the varieties and business value of single sign-on.

Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only)

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

The Primer: Nuts and Bolts of Federated Identity Management

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Web Services Security: What s Required To Secure A Service-Oriented Architecture. An Oracle White Paper January 2008

Secure Credential Federation for Hybrid Cloud Environment with SAML Enabled Multifactor Authentication using Biometrics

NCSU SSO. Case Study

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Gabriel Magariño. Software Engineer. Overview Revisited

Research and Implementation of Single Sign-On Mechanism for ASP Pattern *

SAML Profile for SSO in Danish Public Sector V2.0 Assertion Examples,

Cloud Standards. Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase

JVA-122. Secure Java Web Development

Disclaimer. SAP 2008 / SAP TechEd 08 / SIM202 / Page 2

The Primer: Nuts and Bolts of Federated Identity Management

Secure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact

Secure the Web: OpenSSO

SAML basics A technical introduction to the Security Assertion Markup Language

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

<Insert Picture Here> Oracle Security Developer Tools (OSDT) August 2008

Web Based Single Sign-On and Access Control

Разработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, November 2009 Joost van Dijk - SURFnet

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

SAML Federated Identity at OASIS

Federal Identity, Credentialing, and Access Management Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile

Flexible Identity Federation

SAML-Based SSO Solution

IBM WebSphere Application Server

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

nexus Hybrid Access Gateway

The Role of Federation in Identity Management

OIO SAML Profile for Identity Tokens

Perceptive Experience Single Sign-On Solutions

Trusting XBRL: Using the Liberty Web Services Framework to Secure and Authenticate XBRL Documents

NIST s Guide to Secure Web Services

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

SAML: The Secret to Centralized Identity Management

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform

Feide Technical Guide. Technical details for integrating a service into Feide

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

HP Software as a Service. Federated SSO Guide

Agenda. How to configure

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

Project Title: Judicial Branch Enterprise Document Management System RFP Number: FIN122210CK Appendix D Technical Features List

Stronger / Multi-factor Authentication For Enterprise Applications (Identity Assurance using PKI, Smart cards and Biometrics)

Federation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough

OIOIDWS for Healthcare Token Profile for Authentication Tokens

Biometrics for Global Web Authentication: an Open Source Java/J2EE-Based Approach

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

Single Sign-On Implementation Guide

Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only)

Transcription:

Biometric Single Sign-on using SAML Architecture & Design Strategies Ramesh Nagappan Java Technology Architect Sun Microsystems Ramesh.Nagappan@sun.com 1 Setting Expectations What you can take away! Understand the importance of Single Sign-On (SSO) and its role in enterprise IT applications. Get introduced to SAML standard for enabling SSO with Biometric authentication. Understand the Architecture and Strategies for implementing Biometric SSO using SAML. How to build Multifactor SSO using Biometrics in enterprise IT applications. 2 1

Agenda The State of the Industry > CIO Headaches > Identity Management - Promises > Single Sign-on : SAML to the rescue > Biometric SSO Development Challenges The role of SAML in Biometric SSO > Anatomy of SAML > SAML use cases > How it works Biometric SSO: Architecture & strategies > Tools of the Trade > Implementation Strategies > Multi-factor SSO using Biometrics 3 Information is Everywhere Growing Exponentially Thanks to Internet and Open Standards 4 2

Web based Application Proliferation Internet 5 Multiple Sign-on Authentication Silos Leads to application extensibility dead-ends! 6 3

The Promise of Identity Management Why it is important? Standardized platform to manage Identity lifecycle supporting multiple and heterogeneous resources. Single sign-on (SSO) access to disparate resources within an enterprise and beyond organizational boundaries. > SSO and Cross-domain SSO based authentication and authorization > Enhance security with Multi-factor based strong authentication > Extend access to trusted partnerships via Federated SSO over Internet Centralized or distributed policy enforcement Auditing and reporting of authentication and authorization events Provisioning and De-provisioning users on-demand Identity Management is Key to a Successful Security Strategy 7 Single Sign-on: In reality Single sign-on offers Allow access to disparate Consistent User experience resources with & Enhanced Security Strong authentication Identity Management is Key to a Successful Security Strategy 8 4

Enabling Biometric SSO: Challenges Common implementation challenges? How to enable biometric callbacks in Web based applications. > Representing Device callbacks without using client-side dependencies. > How to ensure confidentiality and integrity of biometric samples in transit. How to identify and verify the client origin host and requests. > Identifying spoofed clients, message replay, session hijacks How to manage users sessions, idle time and logout > Managing user sessions and monitoring for session timeouts. > Performing single log-out across multiple resources without residue. How to initiate Multi-factor authentication and share state? How to avoid multiple sign-on among multiple applications. > Propagating security context with trust boundaries and avoid re-authentication How to perform biometric enrollment using a Web environment 9 Introducing SAML Overview Security Assertions Markup Language Open XML Standard protocol for exchanging authentication and authorization information > OASIS approved Industry-standard. > Designed for SSO, Multi-domain SSO and Federation > SAML 2.0 allow use of SAML in devices, support session management in Web applications. Promotes Interoperability among Identity Providers and Service providers. > Authentication Provider Independence SAML is used by other industry-standards Liberty Alliance, OASIS WS-Security and Shibboleth. 10 5

SAML Adoption How is SAML being used today? Web Single sign-on (SSO) > SAML enables SSO through exchanging authentication and authorization assertions. > SSO can be part of single or multiple autonomous domains. Federated Identity > Establish Federated Identity sharing between trusted partners. Attribute-Based Authorizations > Communicate Identity information about a subject from Web site to another. Securing Web Services > SAML assertions can be used within SOAP Messages. > OASIS WS-Security TC has defined a SAML Profile to support use of SAML. 11 Anatomy of SAML Core components SAML Assertions > A set of one or more statements made by a SAML Authority/Identity provider. SAML Protocols > Define Request/Response protocols to support exchanging assertions. > Ex. Authentication Request, Single Logout SAML Bindings > Defines how SAML can be communicated using standard protocols. (ex. HTTP, SOAP) SAML Profiles > Defines the usage of SAML for an application. > Ex. Web Browser SSO Profile Profile Bindings Protocols Assertions Anatomy of SAML 12 6

Anatomy of SAML... contd. Environment specific components SAML Metadata > Defines how a SAML entity describe its configuration data. Authentication Context > Defines the type and strengths of authentication requirements. > What authentication processes are enforced before issuing the assertion. (Ex. Using Multi-factor authentication) 13 SAML Assertions SAML Assertions are statements issued by a SAML Authority Authentication Assertion > SAML statement that represents a successful authentication performed on a subject (Service requestor). Authorization Decision Assertion > It represents an authorization decision that subject is allowed to access a requested resource. > Ex. Ramesh Nagappan is permitted to speak at BC 2006. Attribute Assertion > It identifies the attributes of a subject, especially additional data intended for the service provider. > Ex. Ramesh Nagappan works for Sun Microsystems. SAML Assertion Authentication Assertion Authorization Assertion Attribute Assertion SAML Assertions 14 7

Anatomy of SAML Message <saml:assertion xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion" Version="2.0" IssueInstant="2006-08-01T17:50:50.000Z"> <saml:issuer>http://nramesh.east.sun.com/</saml:issuer> <!-- Digital signature of the issuer --> <ds:signature>...</ds:signature> <saml:subject> <saml:nameid format="urn:oasis:names:tc:saml:2.0:nameid-format:persistent"> xyz000181 </saml:nameid> </saml:subject> <saml:authnstatement AuthnInstant="2006-08-01T17:50:30.000Z" SessionIndex="123456"> <saml:authncontext> <saml:authncontextclassref> urn:oasis:names:tc:saml:2.0:ac:classes:passwordprotectedtransport </saml:authncontextclassref> </saml:authncontext> </saml:authnstatement> </saml:assertion> 15 SAML Security How to protect SAML assertions? SAML recommends the use of HTTP over SSL/TLS for ensuring transportlevel security. > Prevents MITM attacks on SAML assertions. SAML supports XML Signature and XML Encryption for ensuring messagelevel confidentiality and integrity. > The SAML constructs can be encrypted and digitally signed before issuing the assertion. 16 8

SAML Use Case Scenario Single sign-on Authenticate User Access Protected resource (SAML Assertion) SAML Compliant Identity Provider (ex. identityprovider.sun.com) SAML Asserting Party SAML Aware Service Provider (ex. services.ebay.com) SAML Relying Party 17 Biometric SSO Architecture and Design Strategies Identity Provider Biometric AuthN Makes use of SAML compliant Identity provider to issue SAML assertions. Biometric vendor is configured as an authentication provider. > Ex. Java Authentication and Authorization (JAAS) LoginModule for enabling Identity provider Integration. Makes use of SAML enabled Biometric authentication provider to issue SAML assertions. > Ex. Use OpenSAML support to issue SAML tokens 18 9

Biometric SSO: Tools of the Trade Identity Provider Infrastructure > OASIS SAML 2.0 > Liberty Phase II > JAAS (Java Authentication & Authorization Service) > LDAP v3 > JSR-196 (Authentication Provider for Web Services) Biometric Authentication Infrastructure > JAAS LoginModule > OASIS SAML 2.0 > OASIS SPML 2.0 Adapter Identity Provisioning Infrastructure > OASIS SPML 2.0 > OASIS WS-BPEL 1.1 19 Biometric SSO: Identity Provider Strategy Using a SAML compliant Identity Provider J2EE Applications Request Access SAML Compliant Identity Provider Infrastructure Issue SAML Assertion Databases Biometrics Single/Multi-modal Perform Authentication Biometric AuthN Middleware Directories Enterprise Applications * [SAML Asserting Authority] [SAML Relying Authorities] 20 10

Biometric SSO: Bio AuthN Provider Strategy Using a SAML compliant Biometric Authentication Provider J2EE Applications Request Access* SAML compliant Biometric AuthN Middleware Issue SAML Assertion Databases Biometrics Single/Multi-modal Perform Authentication & Issue SAML Assertion Directories [SAML Asserting Authority] Enterprise Applications * [SAML Relying Authorities] 21 Multi-factor SSO including Biometrics Case study with Sun Java System Access Manager and BiObex [SAML Asserting [SAML Relying Authority] Authority] Sun Java System Access Manager Multi-modal Biometrics Authentication SAML Desktops* Single Sign-on Authorization Assertion * SSL Multi-Domain SSO Federated SSO Policies User/Role Pr ofiles Databases / Directories Smartcard (CAC/PKCS#15) Password [Authentication Providers] Perform Authentication Chain BiObex Audit Logs Certificate Authority w/ OCSP Resp. LDAP Directory / Oracle Database Portal Applications Enterprise Applications * 22 11

Further References Core Security Patterns > Chris Steel, Ramesh Nagappan & Ray Lai > Special focus on Identity Management using Biometrics and Smartcards > www.coresecuritypatterns.com OASIS SAML 2.0 > www.oasis-open.org/specs/index.php#samlv2.0 Sun Java System Identity Mgmt Suite > www.sun.com/products/identity/index.jsp Article: Biometric Authentication for J2EE and Web based Applications http://developers.sun.com/prodtech/identserver/reference/techart/bioauthentication.html 23 Biometric Single Signon using SAML Architecture and Design Strategies Ramesh Nagappan nramesh@post.harvard.edu www.coresecuritypatterns.com/downloads 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information