Enabling SAML for Dynamic Identity Federation Management

Similar documents
Federated Identity Management Solutions

Open Source Identity Integration with OpenSSO

MONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY. ASR 2006/2007 Final Project. Supervisers: Maryline Maknavicius-Laurent, Guy Bernard

Software Design Document SAMLv2 IDP Proxying

SAML Federated Identity at OASIS

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Introducing Shibboleth

External and Federated Identities on the Web

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

SAML-Based SSO Solution

The Primer: Nuts and Bolts of Federated Identity Management

SAML SSO Configuration

Flexible Identity Federation

The Primer: Nuts and Bolts of Federated Identity Management

OpenSSO: Cross Domain Single Sign On

Разработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, November 2009 Joost van Dijk - SURFnet

A Shibboleth View of Federated Identity. Steven Carmody Brown Univ./Internet2 March 6, 2007 Giornata AA - GARR

Leveraging New Business Models with Identity Management An e-learning case study

SAML-Based SSO Solution

Federated Identity for Cloud Computing and Cross-organization Collaboration

Biometric Single Sign-on using SAML

Trend of Federated Identity Management for Web Services

Extending DigiD to the Private Sector (DigiD-2)

HOL9449 Access Management: Secure web, mobile and cloud access

The Top 5 Federated Single Sign-On Scenarios

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

Nationwide and Regional Health Information Networks and Federated Identity for Authentication and HIPAA Compliance

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

Distributed Identity Management Model for Digital Ecosystems

SAML Security Option White Paper

IBM WebSphere Application Server

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

ABFAB and OpenStack(in the Cloud)

OSOR.eu eid/pki/esignature Community Workshop in Brussels, 13. November 2008 IT Architect Søren Peter Nielsen - spn@itst.dk

Configuring EPM System for SAML2-based Federation Services SSO

Federated Identity Management. Willem Elbers (MPI-TLA) EUDAT training

Enhancing Web Application Security

MY1LOGIN SOLUTION BRIEF: PROVISIONING. Automated Provisioning of Users Access to Apps

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

TIB 2.0 Administration Functions Overview

Logout in Single Sign-on Systems

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

Using SAML for Single Sign-On in the SOA Software Platform

SAML Single-Sign-On (SSO)

Copyright: WhosOnLocation Limited

Biometric Single Sign-on using SAML Architecture & Design Strategies

Abstract of the Core Concepts of S.A.F.E.: Standards for Federated Identity Management

OpenID and identity management in consumer services on the Internet

SAML:The Cross-Domain SSO Use Case

Identity Federation Broker for Service Cloud

Shibboleth N-Tier Support. Chad La Joie

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Identity Management. (Re)discovering authorization APIs and LDAP model binding. Clément OUDOT

RSA Solution Brief. Federated Identity Manager RSA. A Technical Overview. RSA Solution Brief

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

Single Sign On. SSO & ID Management for Web and Mobile Applications

IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>

Configuring SAML2 for Single Sign On to Smartsheet (Enterprise Only)

A Standards-based Mobile Application IdM Architecture

Single Sign-On for the UQ Web

Get Success in Passing Your Certification Exam at first attempt!

An SAML Based SSO Architecture for Secure Data Exchange between User and OSS

An Oracle White Paper August Oracle OpenSSO Fedlet

IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0

How Single-Sign-On Improves The Usability Of Protected Services For Geospatial Data

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Identity opens the participation age. Dr. Rainer Eschrich. Program Manager Identity Management Sun Microsystems GmbH

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase

Identity Management in Telcos. Jörg Heuer, Deutsche Telekom AG, Laboratories. Munich, April 2008

Trusting XBRL: Using the Liberty Web Services Framework to Secure and Authenticate XBRL Documents

OPENIAM ACCESS MANAGER. Web Access Management made Easy

Introducing Infocards in NGN to enable user-centric identity management

An Oracle White Paper July Oracle Identity Federation

UNIVERSITY OF COLORADO Procurement Service Center INTENT TO SOLE SOURCE PROCUREMENT CU-JL SS. Single Sign-On (SSO) Solution

Licia Florio Project Development Officer Identity Federations in Europe

Secure the Web: OpenSSO

Spring Security SAML module

Federated Identity Management

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Securing Splunk with Single Sign On & SAML

Authentication and Single Sign On

Introduction to SAML

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

E-Authentication Federation Adopted Schemes

Transcription:

Enabling SAML for Dynamic Identity Federation Management Patricia Arias, Florina Almenárez, Andrés Marín and Daniel Díaz-Sánchez University Carlos III of Madrid http://pervasive.gast.it.uc3m.es/ WMNC 2009 Second Joint IFIP Wireless and Mobile Networking Conference September 9-11, 2009 Gdańsk, Poland

IN THIS TALK Introduction What is Identity Federation? Background Current Id-Federation frameworks Underlying Trust Models Comparison Challenges Related Work SAML extension Conclusions & Future work 2

What is Identity Federation? Federation: Share and distribute attributes and identity information across different administrative domains according to certain established policies Use Cases: single-sign-on, attribute exchange, account linkage Components: IdPs, SPs and Users Identity Provider (IdP) User interface Service Povider (SP) Advantages: User: better user experience Service Providers: personalization, intelligent transactions, complexity and cost reduction User 3

MOTIVATION Trust models in today identity federation frameworks: CASE 1: NO trust CASE 2: RIGID trust Identity Provider (IdP) X Service Provider (SP) Identity Provider (IdP) Service Provider (SP) Problems NO SECURITY Problems flexibility, complexity, scalability An extension is required to allow flexible relationships and facilitate cooperation 4

Common example: Single-Sign-On Allows users to authenticate at a single site and gain access to multiple sites in a federation without providing any additional information Source web site: airline.example2.com (IdP) Authentication ➊ Identity Info TRUST Alice ➋ Access protected resource Destination web site: cars.example2.com (SP) 5

OUTLINE Introduction What is Identity Federation? Background Current Id-Federation frameworks Underlying Trust Models Comparison Challenges Related Work SAML extension Conclusions & Future work 6

Federation Frameworks Identity federation can be accomplished by different means: SAML (Security Assertion Markup Language), OASIS 2005 (v2.0) OpenID, OpenID Foundation 2005 Identity Federation Framework (ID-FF), Liberty Alliance, 2003 WS-Federation, Alliance of companies 2006 7

SAML According to the specs., SAML: defines an XML based framework to allow the exchange of security assertions between entities Profiles How SAML protocols, bindings and/or assertions combine to support a defined use-case Bindings How SAML protocols map onto standard messaging and communication protocols Protocols Request/Response pairs for obtaining assertions Assertions Authn, Attribute and AuthZ data Four main components ➊ Assertions ➋ Protocols ➌ Bindings ➍ Profiles And also: Metadata: to specify configuration information Authentication context: to provide extra info about the auth. process 8

OUTLINE Introduction What is Identity Federation? Background Current Id-Federation frameworks Underlying Trust Models Comparison Challenges Related Work SAML extension Conclusions & Future work 9

COMPARISON IdM technology SAML OpenID Liberty Alliance WS-Federation Trust Model PKI recommended. Typically implemented with trust lists No trust model. trust-all-comers philosophy, no preconfiguration required Trust architecture based on CoTs. Follows SAML recommendation (PKI). Typically implemented with trust lists. Trust arch. based on WS-Trust. Typically implemented with trust lists 10

Limitations Current frameworks are not suitable for dynamic environments: trust model poorly defined or out of the specifications scope tipically rely on PKI (implementations with trust lists) dependence on preconfiguration Challenges: Dynamic Federation We need to modify the underlying trust models to: make trust establishment more agile minimize dependences on central admin. or preconfiguration Take advantage of common knowledge Model trust evolution over time (risk management) 11

RELATED WORK 2008: Internet2, PingIdentity, Stockholm University Distributed and Dynamic SAML. Centered around discovery and easiness of configuration. Ligther federation process, but only considers certificate based trust, and is oriented to web SSO 2008: L.Boursas, Munich University of Technology Dynamic management and expansion of CoTs. Does not address the exchange of trust information over federation protocols 2009: U.Kylau, Hasso Plattner Institute Identify possible trust patterns in identity federation topologies Problems: lack of general solution, not all aspects of trust are covered 12

Requirements Extend SAML: In a generic way Maintaining backwards compatibility Allowing Dynamic Federation Design and incorporate dynamic trust models in order to facilitate the interaction between different actors involved in an IdM system. 13

OUTLINE Introduction What is Identity Federation? Background Current Id-Federation frameworks Underlying Trust Models Comparison Challenges Related Work SAML extension Conclusions & Future work 14

SAML EXTENSION FOR DYNAMIC FEDERATION Idea: enrich trust mechanisms, allow the collection of external information, maintain an automatic and dynamic store Trust engine: processes external and internal trust information performs DTL updating makes decision to trust Dynamic Trust List (DTL): is automatically updated according to the establishment and evolution of trust relationships 15

SAML extension: use case 16

IMPLEMENTATION ISSUES SP ZXID: light open C library, implements full SAML 2.0 stack IdP Authentic, based on the lasso library, supports SAML 2.0 specs Test Scenario Architecture Results so far: b r o w s e r SSO SLO IdP SP ZXID OpenSSL Apache2 Lasso OpenSSL Apache2 Single Sign-On Single Log Out LDAP WSP-API Work in Progress: Trust engine DTLs Reputation Protocol 17

OUTLINE Introduction What is Identity Federation? Background Current Id-Federation frameworks Underlying Trust Models Comparison Challenges Related Work SAML extension Conclusions & Future work 18

CONCLUSIONS We have: Analyzed the main current frameworks to achieve identity federation Identified trust management requirements in dynamic environments Proposed a SAML extension to overcome challenges and to enrich trust decisions Deploy an Identity Management infraestructure SAML is the only standard, and offers flexibility, abstraction and modularity. Also, it is the more popular and deployed. 19

FUTURE WORK We are implementing the proposed extension by completing these tasks: Adding Trust Engine and DTLs Defining messages and protocols to exchange reputation data As future work we aim to: perform evaluation experiments model trust evolution add risk analysis functionality 20

Dziękuję! (Thanks!) Questions? 21

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information