Infocard and Eduroam. Enrique de la Hoz, Diego R. López, Antonio García, Samuel Muñoz

Similar documents
An Infocard-based proposal for unified SSO to eduroam

Distributed Identification and Consumer Data Protection. Khaja Ahmed Microsoft Corporation

Negotiating Trust in Identity Metasystem

Federated Identity Management Solutions

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

Privacy in Cloud Computing Through Identity Management

Flexible Identity Federation

Разработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, November 2009 Joost van Dijk - SURFnet

Single Sign On. SSO & ID Management for Web and Mobile Applications

Information Security Group Active-client based identity management

Identity Management in Telcos. Jörg Heuer, Deutsche Telekom AG, Laboratories. Munich, April 2008

Federated Identity Opportunities & Risks

Microsoft and Novell - A Case Study in Identity Federation

Enhancing User Authentication in Claim-Based Identity Management

Introducing Infocards in NGN to enable user-centric identity management

An Efficient Windows Cardspace identity Management Technique in Cloud Computing

Evaluation of different Open Source Identity management Systems

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

INTRODUCING GENEVA AN OVERVIEW OF THE GENEVA SERVER, CARDSPACE GENEVA, AND THE GENEVA FRAMEWORK DAVID CHAPPELL OCTOBER 2008

An Oracle White Paper Dec Oracle Access Management Security Token Service

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

A Federated Authorization and Authentication Infrastructure for Unified Single Sign On

Microsoft Dynamics CRM Server 2011 software requirements

Author. Ginés Dólera Tormo. Advisors Dr. Félix Gómez Mármol (NEC Laboratories Europe) Prof. Dr. Gregorio Martínez Pérez (University of Murcia)

The increasing popularity of mobile devices is rapidly changing how and where we

Federated Identity Architectures

DAMe Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture

Federated Identity and Trust Management

IGI Portal architecture and interaction with a CA- online

Les technologies de gestion de l identité

Digital Identity and Identity Management Technologies.

Identity Management. Audun Jøsang University of Oslo. NIS 2010 Summer School. September

IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>

Federated Wikis Andreas Åkre Solberg

ALF SSO: Security Framework for Tool Integration. Brian Carroll, Eclipse ALF Project Lead

Federated AAA middleware and the QUT SSO environment

Comparing Identity Management Frameworks in a Business Context

Get Success in Passing Your Certification Exam at first attempt!

Federated Identity Management

QR-SSO : Towards a QR-Code based Single Sign-On system

Open Source Identity Integration with OpenSSO

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services

NIST s Guide to Secure Web Services

An Anti-Phishing mechanism for Single Sign-On based on QR-Code

CONFIGURATION GUIDE WITH MICROSOFT ACTIVE DIRECTORY FEDERATION SERVER

Federated Identity Management Technologies and Systems

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Secure the Web: OpenSSO

Browser Extension-based Interoperation Between OAuth and Information Card-based Systems

Web Based Single Sign-On and Access Control

The saga of WebFTS and Federated Identity

Addressing threats to real-world identity management systems

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Trend of Federated Identity Management for Web Services

Egnyte Single Sign-On (SSO) Installation for OneLogin

RUHR-UNIVERSITÄT BOCHUM. On the Insecurity of Microsoft s Identity Metasystem

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

Using SAML for Single Sign-On in the SOA Software Platform

VMware Identity Manager Integration with Active Directory Federation Services 2.0

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

Authentication Methods

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

SAML Single-Sign-On (SSO)

Economics of Identity Management Systems - Towards an Economically Adaptive User-Centric IdMS. Mohammed H. Almeshekah

HMA AWG Meeting Proposal for a Security Token Service September 2009 Marko Reiprecht con terra GmbH, Germany

Federation Proxy for Cross Domain Identity Federation

This way, Bluewin will be able to offer single sign-on for service providers within the circle.

Internet-Scale Identity Systems: An Overview and Comparison

Microsoft Office 365 Using SAML Integration Guide

Identity Management. Critical Systems Laboratory

OpenSSO: Simplify Your Single-Sign-On Needs. Sang Shin Java Technology Architect Sun Microsystems, inc. javapassion.com

SAML-Based SSO Solution

OpenSSO: Cross Domain Single Sign On

Enabling Digital Identity. David Recordon Innovator for Advanced Products & Research

The Identity Metasystem: A User-Centric, Inclusive Web Authentication Solution

The Top 5 Federated Single Sign-On Scenarios

Network-based Access Control

Interwise Connect. Working with Reverse Proxy Version 7.x

CS 6393 Lecture 7. Privacy. Prof. Ravi Sandhu Executive Director and Endowed Chair. March 8,

How To Manage Identity On A Cloud (Cloud) With A User Id And A Password (Saas)

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

Apache Server Implementation Guide

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

Single Sign-On: Reviewing the Field

How to create a SP and a IDP which are visible across tenant space via Config files in IS

Addressing threats to real-world identity management systems

User Guide. The AMF's File Transfer Service (FTS)

Extending DigiD to the Private Sector (DigiD-2)

Adding Federated Identity Management to OpenStack

Security for Future Networks : a Prospective Study of AAIs

Mobile Security. Policies, Standards, Frameworks, Guidelines

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Developing Secure Mobile Applications from SharePoint Presented by Seyfarth Shaw LLP and Something Digital

Shibboleth N-Tier Support. Chad La Joie

Cloud Security: Yesterday, Today, and Tomorrow

A Standards-based Mobile Application IdM Architecture

Transcription:

Infocard and Eduroam Enrique de la Hoz, Diego R. López, Antonio García, Samuel Muñoz

Index Introduction to Infocard Infocard usage usso using Infocard in eduroam Questions

Infocard Artifact with a unique identifier from an identity provider that users can employ to visualize their digital relationship with the identity provider in user interfaces and request security tokens with claims from the identity provider. An Information Card is a XML document that can be used as an artifact to get security tokens containing the value of the requested claims Token agnostic: OpenID SAML1.1 Claims-based application Build upon WS-* protocols

Infocard support Client side: Microsoft CardSpace Bandit project: Digitalme: http://code.bandit-project.org/trac/wiki/digitalme Azigo: http://www.simplysecure.biz/infocards.html Safari, Firefox Identity selectors Server side (RP / IP): Geneva Project,.NET Higgins Project: http://www.eclipse.org/higgins/ Shibboleth: https://spaces.internet2.edu/display/shib/information+cards Sun OpenSSO: https://cardspaceauthn.dev.java.net/ SimpleSAMLphp (coming soon)

Identity Selector Identity Provider RP s key is not known to IP Token is not encrypted Request security token Response security token Decrypt Encrypt token with RP s key Token requirements Generate message Relying Party Generate a response message Encrypt to the client

Client Application WS-* Metasystem Protocol Identity Selector Relying Party Identity Provider 1 2 3 WS-MEX GetMetadata Request WS-MEX GetMetadata Response GetToken(RP Policy) 4 Select Identity Policy WS-Security Policy 9 10 Identity needs credentials 5 6 7 8 Return security token Access Resource with security token (WS-Security) WS-MEX GetMetadata Request WS-MEX GetMetadata Response WS-Trust RST Request (user credentials) WS-Trust RSTR Response (security token) Token

Infocard Architecture Elements User app (usually a web browser but not necessarily) Identity Selector Relying Party (RP): token consumer IP/STS: token issuer and Infocard Issuer

Infocard Usage Authentication Secure OpenID: OpenID Information Cards (https://openidcards.sxip.com/spec/openid-infocards.html) Self-issued cards as a replacement for user/password authentication Plugin for wordpress: http://pamelaproject.com/pwwp/ Windows Live ID:http://dev.live.com/liveid/ Control of Information disclosure Easier management of digital identity

eduroam? What! Infocard as a key technology for usso. We do have working IdP Either RADIUS or IdP in edugain We could issue Infocards We have claims-based apps We could issue tokens containing those claims on request

Architecture Description

Step by step 1 - Radius Authentication Request 2 - RADIUS Response 3 (Optional) Information Card retrieval 4 - SP Access 5 - Redirection to Home IdP 6 - Infocard Authentication: (WS-*) 7 - Acces granted / rejected

RADIUS (step 1 and 2) User is authenticated to RADIUS as usual. Communication channel between RADIUS and Infocard STS Infocard STS generates an Information Card for the user Information Card itself could be contained in the RADIUS response (EAP-TLV) or user could download the Information Card from an URI specified in an attribute of the RADIUS response (step 3 then) What then? Supplicant will be in charge of importing the received Information Card into Information Card store No sensitive information in the Information Card

User Privacy What about user privacy? Infocard does not contain any info about user attributes Attributes disclosure is under strict control of end user

Service Provider Access What for? Service access -> Information Card Model Access to SP, redirection to home institution IdP IdP will act as a RP in the InfoCard architecture https access It will require Information Card for access Policy:» With a trusted issuer» Containing a certain set of attributes

Information Card (step 6) STS will be located in the home domain of each user STS will issue a token containing the required attributes It could be a signed SAML token. If and only if user is connected. As soon as user logs out, STS will stop token issuance for him. IP/STS may o may not know about who is requesting the attributes

Step 6 Explained How? WS-Trust, WS-Security, WS-MetadataExchange, WS- SecurityPolicy RP<->STS communication Information Card Validation User consent User MUST be connected to eduroam User not connected -> validation will fail Covert channel between RADIUS and STS SAML token issuance

Requirements How would this affect existing infraestructure? Minor changes New RADIUS attributes: EAP TLV to exchange Information Card Minor modifications to supplicant IdP side: OpenSSO, Shibboleth support InfoCard model And simplesamlphp ; (see you tomorrow!)

Thank you Questions/comments?

Further Info Contact me at: enrique.delahoz@uah.es

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information