2015-11-30. Web Based Single Sign-On and Access Control

Similar documents
Lecture Notes for Advanced Web Security 2015

OAuth 2.0 Developers Guide. Ping Identity, Inc th Street, Suite 100, Denver, CO

ACR Connect Authentication Service Developers Guide

Single Sign-On Implementation Guide

Using SAML for Single Sign-On in the SOA Software Platform

A Standards-based Mobile Application IdM Architecture

Negotiating Trust in Identity Metasystem

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

Single Sign-On Implementation Guide

Single Sign-On Implementation Guide

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

EHR OAuth 2.0 Security

OAuth 2.0: Theory and Practice. Daniel Correia Pedro Félix

Table of Contents. Open-Xchange Authentication & Session Handling. 1.Introduction...3

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

SAML and OAUTH comparison

Securing Web Services With SAML

Setting Up Federated Identity with IBM SmartCloud

Federated Identity Management Solutions

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

IAM Application Integration Guide

SAML Single-Sign-On (SSO)

IBM WebSphere Application Server

Copyright Pivotal Software Inc, of 10

Axway API Gateway. Version 7.4.1

Fairsail REST API: Guide for Developers

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

SAML Security Analysis. Huang Zheng Xiong Jiaxi Ren Sijun

Security Assertion Markup Language (SAML) 2.0 Technical Overview

Copyright: WhosOnLocation Limited

How to create a SP and a IDP which are visible across tenant space via Config files in IS

Trend of Federated Identity Management for Web Services

MLSListings Single Sign On Implementation Guide. Compatible with MLSListings Applications

OPENID AUTHENTICATION SECURITY

Federal Identity, Credential, and Access Management Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile

Federal Identity, Credentialing, and Access Management Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile

AIRTEL INDIA OPEN API. Application Developer Guide for OAuth2 Authentication and Authorization. Document Version 1.1

SAML-Based SSO Solution

Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 ( )

Keeping access control while moving to the cloud. Presented by Zdenek Nejedly Computing & Communications Services University of Guelph

This section includes troubleshooting topics about single sign-on (SSO) issues.

Microsoft Office 365 Using SAML Integration Guide

Single Sign-On for the Internet: A Security Story. Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

OIO Web SSO Profile V2.0.5

Introduction to SAML

JVA-122. Secure Java Web Development

Practical Security Evaluation of SAML-based Single Sign-On Solutions

How To Use Kiteworks On A Microsoft Webmail Account On A Pc Or Macbook Or Ipad (For A Webmail Password) On A Webcomposer (For An Ipad) On An Ipa Or Ipa (For

How To Use Saml 2.0 Single Sign On With Qualysguard

SAML AS AN SSO STANDARD FOR CUSTOMER IDENTITY MANAGEMENT. How to Create a Frictionless, Secure Customer Identity Management Strategy

Secure Single Sign-On

How To Test For A Signature On A Password On A Webmail Website In Java (For Free)

Single Sign-On Implementation Guide

Security Assertion Markup Language (SAML)

DocuSign Information Guide. Single Sign On Functionality. Overview. Table of Contents

Shibboleth Architecture

Force.com REST API Developer's Guide

Login with Amazon. Developer Guide for Websites

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Revised edition. OIO Web SSO Profile V2.0.8 (also known as OIOSAML 2.0.8) Includes errata and minor clarifications

Flexible Identity Federation

OAuth 2.0. Weina Ma

HP Software as a Service. Federated SSO Guide

How To Manage Your Web 2.0 Account On A Single Sign On On A Pc Or Mac Or Ipad (For A Free) On A Password Protected Computer (For Free) (For An Ipad) (Free) (Unhack)

Revised edition. OIO Web SSO Profile V2.0.9 (also known as OIOSAML 2.0.9) Includes errata and minor clarifications

E-Authentication Federation Adopted Schemes

Single Sign on Using SAML

The increasing popularity of mobile devices is rapidly changing how and where we

Web 2.0 Lecture 9: OAuth and OpenID

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Server based signature service. Overview

Alfresco Share SAML. 2. Assert user is an IDP user (solution for the Security concern mentioned in v1.0)

SAML Security Option White Paper

National Identity Exchange Federation. Web Browser User-to-System Profile. Version 1.0

From the Intranet to Mobile. By Divya Mehra and Stian Thorgersen

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Biometric Single Sign-on using SAML Architecture & Design Strategies

IBM WebSphere Application Server

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

CA Nimsoft Service Desk

Getting Started with AD/LDAP SSO

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0

OpenSSO: Cross Domain Single Sign On

Feide Technical Guide. Technical details for integrating a service into Feide

Building Secure Applications. James Tedrick

Identity Assurance Hub Service SAML 2.0 Profile v1.2a

Software Design Document SAMLv2 IDP Proxying

Web Single Sign- On: OpenID, Shibboleth, and friends COSC412

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

Siebel CRM On Demand Single Sign-On. An Oracle White Paper December 2006

SAML-Based SSO Solution

Web Single Sign-On Authentication using SAML

OpenLogin: PTA, SAML, and OAuth/OpenID

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

Open Source Identity Integration with OpenSSO

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Extending DigiD to the Private Sector (DigiD-2)

Transcription:

0--0 Web Based Single Sign-On and Access Control Different username and password for each website Typically, passwords will be reused will be weak will be written down Many websites to attack when looking for passwords Users need to trust them all Will they use salt Will hash function be slow Will they even be hashed Stolen hashed passwords Will be easier to recover Can be tested on other websites EITN - Advanced Web Security EITN - Advanced Web Security Authenticate once use many times Typical solution cookies Cookies do not cross domains Need solution that can work between domains Many solutions to this problem Main ideas very similar Three parties involved We look at SAML, OpenID Several other variants exists credentials Description of party The party that authenticates the user SAML name (Web based SSO profile) Identitiy Provider (IdP) The user of the system Subject Subject The party that the user wants to log in to credentials Service Provider (SP) Token/assertion OpenID name OpenID Provider (OP) Relying Party (RP) EITN - Advanced Web Security EITN - Advanced Web Security

0--0 Security Assertion Markup Language Based on XML Uses four main notations Assertions Statement about a subject Authentication statement Attribute statement Authorization decision statement Protocols How assertion should be exchanged Bindings How assertion should be transported HTTP GET, HTTP POST, SOAP, Profiles How assertions, protocols and bindings should be used in a particular scenario Web based single sign-on is one profile <saml:assertion> <saml:issuer> <saml:subject> <saml:conditions> <saml:authnstatement> <saml:attributestatement> <saml:authzdecisionstatement> </saml:assertion> Authentication statement The assertion subject was authenticated at a particular time by some particular means Attribute Statement The assertion subject is associated with some particular attributes Authorization Decision Statement Decision that a subject has been authorized access to some particular resource (or not) String defining the issuer of the assertion String defining the subject of the assertion Conditions under which the assertion is valid Timestamps (notbefore and notafter) Who should use the assertion Assertions (one or more) EITN - Advanced Web Security EITN - Advanced Web Security 6 SP. Subject attempts to access resource on SP. SP determines identity of IdP. SP sends <AuthnRequest> to IdP IdP. IdP authenticates the subject. IdP sends <Response> back to the SP (Authentication Statement) 6. SP verifies the authentication statement Steps and can be sent directly to receiver,6 Authentication request protocol defines how to ask for an assertion Example of request <AuthnRequest ID= > <Subject> </Subject> <Conditions> </Conditions> <Issuer>..</Issuer> </AuthnRequest> <AuthnRequest> <Response> Example of response <Response> <Assertion> <Subject> </Subject> <AuthnStatement> </AuthnStatement> </Assertion> </Response> Binding defines how these messages are sent to the receiver EITN - Advanced Web Security 7 EITN - Advanced Web Security 8

0--0 SP SP Binding defines how these are sent HTTP redirect Browser is redirected to destination Only used for requests http://idp-example.com/redirect?samlrequest=req&relaystate=token HTTP post An HTML form is created and posted to destination Example request (response is similar) IdP Base6 encoding of SAML message <form method="post" action="https://idp-example.com/redirect > <input type="hidden" name="samlrequest" value="req" /> <input type="hidden" name="relaystate" value="token" /> <input type="submit" value="submit" /> </form> Complete message is not in redirect or in HTML form (not GET or POST) Direct requests and responses Send artifact (reference) in step or instead of actual message Receiver of artifact makes a connection to sender Request-response is exchanged or Response is sent This exchange can use e.g., SOAP if this is something they both support (and prefer) IdP EITN - Advanced Web Security 9 EITN - Advanced Web Security 0 OpenID.0 proposed in 007 Lightweight variant of Single Sign-On Everything well defined but still flexible Open source Suitable when signing in to web pages that provides some personalization Very similar to the SAML Web based single sign-on profile RP,7. Subject attempts to access resource on RP 6 OP. RP performs discovery to locate OP. RP and OP establish an association (optional, uses Diffie-Hellman). RP redirects subject to OP (Authentication request). OP authenticates subject/user 6. OP redirects back to RP with signed authentication message (authentication response) 7. RP verifies message and signature EITN - Advanced Web Security EITN - Advanced Web Security

0--0 Indirect communication Messages are relayed through the user-agent Can be initiated by RP or OP OP Steps and 6 HTTP GET redirect or HTTP POST Direct communication Message are communicated directly between RP and OP Can only be initiated by RP using HTTP POST Step : RP wants to establish association Step 7: Verification of authentication 6 RP,7 OP Identifier Identifier for an OpenID provider Defines which OP the end user is using, e.g., http://www.myopenid.com/. Claimed Identifier The identifier that the user claims to own RP should use this when saving data about a user (account name at RP) User-Supplied Identifier The identifier that the end user presents to the RP Used for discovery. After discovery, the RP will get either an OP Identifier or a Claimed Identifier. OP-Local Identifier The identifier that the user has locally with the OP. EITN - Advanced Web Security EITN - Advanced Web Security Extensible Identifier extensible Descriptor Sequence XRI is a generalized version of URI Globally unique string with more features than URI Can resolve to anything depending on situation Prefix = used for people =john.doe is an XRI for person john.doe Prefix @ used for companies Proxy is used for resolving @company is XRI for company company XRI resolves to XRDS document XML document resolving XRI to anything depending on situation URL XRI Yadis XRDS Email address Web page OpenID Provider EITN - Advanced Web Security Subject provides an XRI or URL to the RP RP normalizes the User-supplied identifier User-supplied identifier Normalize OP-identifier Claimed Identifier If User-Supplied Identifier is an OP identifier, then XRDS document will give URL to OP Tells that the provided identifier is an OP identifier (Part of) XRDS document <Service> <Type>http://specs.openid.net/auth/.0/server</Type> <URI>https://exampleOP.com/auth</URI> </Service> OP Endpoint URL User will choose Claimed Identifier upon authenticating with OP EITN - Advanced Web Security 6

0--0 If User-Supplied Identifier is a claimed identifier, then XRDS document will give URL to OP and possibly an OP-Local identifier Tells that the provided identifier is a claimed identifier (Part of) XRDS document <Service> <Type>http://specs.openid.net/auth/.0/signon</Type> <URI>https://exampleOP.com/auth</URI> <LocalID>https://john-doe.exampleOP.com/</LocalID> </Service> OP-local identifier OP Endpoint URL Used when Yadis protocol does not return XRDS document URL is Claimed Identity URL points to HTML document Further info in HTML <head> In HTML <head> OP Endpoint URL <link rel="openid.provider openid.server" href="https://exampleop.com/auth"/> <link rel="openid.local_id openid.delegate" href="https://john-doe.exampleop.com/"/> Possible to switch to another OP while keeping claimed identifier OP-local identifier EITN - Advanced Web Security 7 EITN - Advanced Web Security 8 GET /accounts/o8/ud? openid.ns=http://specs.openid.net/auth/.0& openid.mode=checkid_setup& openid.claimed_id=http://specs.openid.net/auth/.0/identifier_select& openid.identity=http://specs.openid.net/auth/.0/identifier_select& openid.assoc_handle=amlya9 openid.realm=http://www.somerp.com& openid.ns.ax=http://openid.net/srv/ax/.0& openid.ax.mode=fetch_request& openid.ax.type.attr0=http://axschema.org/contact/email& openid.ax.type.attr=http://axschema.org/nameperson/first& openid.ax.type.attr6=http://axschema.org/nameperson/last& openid.return_to=http://www.somerp.com/ Fixed string OP identifier was entered OP should authenticate subject handle to association between OP and RP Scope of authentication request Attribute info Where to return the response EITN - Advanced Web Security 9 openid.ns=http://specs.openid.net/auth/.0& Fixed string openid.mode=id_res& Fixed string openid.op_endpoint=https://www.google.com/accounts/o8/ud& openid.response_nonce=0--t:0:00z A& openid.return_to=http://www.somerp.com/ & openid.assoc_handle=amlya9 & openid.signed=op_endpoint,claimed_id,identity, & openid.sig=tnxssdjl ldstygqws=& openid.identity=https://www. /id?id=aito & openid.claimed_id=https://www. /id?id=aito & openid.ns.ext=http://openid.net/srv/ax/.0& openid.ext.mode=fetch_response& openid.ext.type.attr=http://axschema.org/nameperson/first& openid.ext.value.attr=martin& Replay protection Same as in request handle to association between OP and RP Signature (Base6) OP URL What was signed OP Local identifier Claimed identifier Attribute info EITN - Advanced Web Security 0

0--0 Allow one service to access a user s information on another server Assume that SSL/TLS is used at all times The server that hosts the resources that a client will get access to. Owner An end user that uses the resource server to store some resources, e.g., files or information. The party that gets (limited) access to resources on the resource server on behalf of the resource owner Authorization The server that issues access tokens for the resource server to the client Can be the same as the resource server (this will be the case in the examples here) One way of doing it. redirects Owner to (authorization request). Owner authenticates to and gives access. owner issues authorization grant. sends grant and authenticates. server issues access token 6. Token used to access resources 6 Owner EITN - Advanced Web Security EITN - Advanced Web Security One type of grant is an authorization code Authorization request using a HTTP GET redirect GET /oauthreq?response_type=code&client_id=nsv89drlh &state=jsasdhfiay&scope=read,make &redirect_uri=https%a%f%fclient%ecom%foauth HTTP/. Host: server.com Response_type gives type of grant _id identifies the client State can be used by client to maintain a state Code is returned to Scope specifies requested access Redirect_uri says where to return grant GET /oauth?code=hdje7hjgdbsjuh9&state=jsasdhfiay HTTP/. Host: client.com Request sent in a HTTP POST Can authenticate using e.g., Basic Access Authentication POST /tokenreq HTTP/. Host: server.com Authorization: Basic cvydmvylmnvbtpwyxnzd9yza== Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=hdje7hjgdbsjuh9 &redirect_uri=https%a%f%fclient%ecom%foauth grant_type gives type of grant code is the actual grant redirect_uri is same as when requesting token EITN - Advanced Web Security EITN - Advanced Web Security 6

0--0 Returned to client in JSON format HTTP/. 00 OK Content-Type: application/json;charset=utf-8 Cache-Control: no-store Pragma: no-cache Implicit grant Token is returned immediately without making an explicit grant first Makes sense if is e.g., a javascript { "access_token":"gfrsswfwunb9kgdxaecbv", "token_type":"example", "expires_in":600, "refresh_token":"tgzvjokf0xgqxtlkwia", "scope":"read" } Refresh_token can be used to obtain a new token once the current has expired. redirects Owner to. Owner authenticates. Access token is returned. Access token used to access resources does not authenticate Owner EITN - Advanced Web Security EITN - Advanced Web Security 6 owner gives the username and password to the client Should only be used if Owner fully trusts the. owner sends credentials to. authenticates and sends owner s credentials. issues an access token. can access resources obtains token without going through the resource owner first. authenticates and requests access token. Access token is issued. can access resources using the token Owner EITN - Advanced Web Security 7 EITN - Advanced Web Security 8 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information