Biometric Single Sign-on using SAML

Similar documents
Biometric Single Sign-on using SAML Architecture & Design Strategies

Biometric SSO Authentication Using Java Enterprise System

Interoperable Provisioning in a Distributed World

Stronger Authentication with Biometric SSO

Securing Web Services With SAML

SAML Security Option White Paper

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

SAML:The Cross-Domain SSO Use Case

Contents at a Glance. 1 Introduction Basic Principles of IT Security Authentication and Authorization in

SAML-Based SSO Solution

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

Federated Identity in the Enterprise

Agenda. How to configure

NCSU SSO. Case Study

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase

TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

Security Assertion Markup Language (SAML)

Federated Identity Management Solutions

SAML for EPCS (Electronic Prescription of Controlled Substances)

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

Evaluation of different Open Source Identity management Systems

Secure Identity in Cloud Computing

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Research and Implementation of Single Sign-On Mechanism for ASP Pattern *

The Primer: Nuts and Bolts of Federated Identity Management

An Oracle White Paper Dec Oracle Access Management Security Token Service

Security Assertion Markup Language (SAML) 2.0 Technical Overview

Trusting XBRL: Using the Liberty Web Services Framework to Secure and Authenticate XBRL Documents

Web Services Security: What s Required To Secure A Service-Oriented Architecture. An Oracle White Paper January 2008

Perceptive Experience Single Sign-On Solutions

Implementation Guide SAP NetWeaver Identity Management Identity Provider

<Insert Picture Here> Oracle Security Developer Tools (OSDT) August 2008

Gabriel Magariño. Software Engineer. Overview Revisited

WebLogic Server 7.0 Single Sign-On: An Overview

The Primer: Nuts and Bolts of Federated Identity Management

Security solutions Executive brief. Understand the varieties and business value of single sign-on.

Secure Credential Federation for Hybrid Cloud Environment with SAML Enabled Multifactor Authentication using Biometrics

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

JVA-122. Secure Java Web Development

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

TrustedX - PKI Authentication. Whitepaper

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

Flexible Identity Federation

How To Get A Single Sign On (Sso)

OSOR.eu eid/pki/esignature Community Workshop in Brussels, 13. November 2008 IT Architect Søren Peter Nielsen - spn@itst.dk

Cloud Standards. Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102

Secure the Web: OpenSSO

Authentication Methods

nexus Hybrid Access Gateway

SAML-Based SSO Solution

Introduction to SAML

Stronger / Multi-factor Authentication For Enterprise Applications (Identity Assurance using PKI, Smart cards and Biometrics)

Liberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009

The Role of Federation in Identity Management

HP Software as a Service. Federated SSO Guide

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

SAML Federated Identity at OASIS

WebNow Single Sign-On Solutions

PARTNER INTEGRATION GUIDE. Edition 1.0

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

This Working Paper provides an introduction to the web services security standards.

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform

The increasing popularity of mobile devices is rapidly changing how and where we

Authentication Integration

Secure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact

OIO Web SSO Profile V2.0.5

Biometrics for Global Web Authentication: an Open Source Java/J2EE-Based Approach

Project Title: Judicial Branch Enterprise Document Management System RFP Number: FIN122210CK Appendix D Technical Features List

CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam

Federated AAA middleware and the QUT SSO environment

Shibboleth N-Tier Support. Chad La Joie

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Authentication and Single Sign On

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

Open Data Center Alliance Usage: Single Sign On Authentication REv. 1.0

Integrating Apex into Federated Environment using SAML 2.0. Jon Tupman Portalsoft Solutions Ltd

SAML SSO Configuration

OpenHRE Security Architecture. (DRAFT v0.5)

Extending DigiD to the Private Sector (DigiD-2)

RealMe. Technology Solution Overview. Version 1.0 Final September Authors: Mick Clarke & Steffen Sorensen

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

Open Source Identity Integration with OpenSSO

An Oracle White Paper August Oracle OpenSSO Fedlet

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Transcription:

Biometric Single Sign-on using SAML Architecture & Design Strategies Ramesh Nagappan CISSP Ramesh.Nagappan@sun.com 1

Setting Expectations What you can take away! Understand the importance of Single Sign-On (SSO) and its role in enterprise IT applications. Get introduced to SAML standard for enabling SSO with Biometric authentication. Understand the Architecture and Strategies for implementing Biometric SSO using SAML. How to build Multifactor SSO using Biometrics in enterprise IT applications. 2

Agenda The State of the Industry > CIO Headaches > Identity Management - Promises > Single Sign-on : SAML to the rescue The role of SAML in Biometric SSO > Anatomy of SAML > SAML use cases > How it works Biometric SSO: Architecture & strategies > Tools of the Trade > Implementation Strategies > Multi-factor SSO using Biometrics 3

Information is Everywhere Growing Exponentially Thanks to Internet and Open Standards 4

Virtual Enterprise Web based Application Proliferation Internet 5

Multiple Sign-on: Authentication Silos 6

The CIO Headaches Drive business innovation Protect corporate information Improve customer experience Enable regulatory compliance Streamline the IT operations Information Security, Compliance and User Experience 7

Security Requires a Delicate Balance Consistent user experience without sacrificing security Height of Fences? Ease of Access? How much you can balance Security vs. User experience? 8

Security and Identity Management Bringing Together People and Information Security People Authentication Authorization Auditing Security Confidentiality Integrity Availability 9

The Promise of Identity Management Why it is important? Standardized Platform for managing Identity life-cycle of an organization and its partners Single sign-on (SSO) access to disparate resources within an enterprise and beyond organizational boundaries. > SSO and Cross-domain SSO based authentication and authorization > Enhance security with Multi-factor based strong authentication > Extend access to trusted partnerships via Federated SSO over Internet Centralized or distributed policy enforcement Track and audit authentication and authorization events. Provisioning and De-provisioning users on-demand Compliance Reporting Identity Management is Key to a Successful Security Strategy 10

Single Sign-on : In reality Single sign-on offers Consistent User experience & Enhanced Security Allow access to disparate resources with Strong authentication Identity Management is Key to a Successful Security Strategy 11

Enabling Biometric SSO: Challenges Common development challenges? How to enable Biometric callbacks in Web based applications. > Representing device callbacks without client-side dependencies. > How to ensure confidentiality and integrity of biometric samples in transit. How to identify and verify the client origin host? > Identifying spoofed connections, message replay attack and session hijacks. How to manage user sessions, idle time and single logout? How to initiate authentication and share state within a Multifactor authentication session? How to avoid multiple sign-on scenarios? > Propagating security context within trust boundaries and avoid re-authentication. How to perform biometric enrollment in a registration workflow? 12

Introducing SAML Overview Security Assertions Markup Language Open XML Standard protocol for exchanging authentication and authorization information > OASIS approved Industry-standard. > Designed for SSO, Multi-domain SSO and Federation > SAML 2.0 allow use of SAML in devices, support session management in Web applications. Promotes Interoperability among Identity Providers and Service providers. SAML is used by other industry-standards Liberty Alliance, OASIS WS-Security and Shibboleth. 13

SAML Adoption How is SAML being used? Web Single sign-on (SSO) > SAML enables SSO through exchanging authentication assertions. > SSO can be part of single or multiple autonomous domains. Federated Identity > Establish Federated Identity sharing between trusted partners. Attribute-Based Authorizations > Communicate Identity information about a subject from Web site to another. Securing Web Services > SAML assertions can be used within SOAP Messages. > OASIS WS-Security TC has defined a SAML Profile to support use of SAML. 14

Anatomy of SAML Core components SAML Assertions > A set of one or more statements made by a SAML Authority/Identity provider. SAML Protocols > Define Request/Response protocols to support exchanging assertions. > Ex. Authentication Request, Single Logout SAML Bindings > Defines how SAML can be communicated using Profile Bindings Protocols Assertions standard protocols. (ex. HTTP, SOAP) SAML Profiles > Defines the usage of SAML for an application. > Ex. Web Browser SSO Profile Anatomy of SAML 15

Anatomy of SAML... contd. Environment specific components SAML Metadata > Defines how a SAML entity describe its configuration data. Authentication Context > Defines the type and strengths of authentication requirements. > What authentication processes are enforced before issuing the assertion. (Ex. Using Multi-factor authentication) 16

SAML Assertions SAML Assertions are statements issued by a SAML Authority Authentication Assertion > SAML statement that represents a successful authentication performed on a subject (Service requestor). Authorization Decision Assertion SAML Assertion Authentication Assertion > It represents an authorization decision that subject is allowed to access a requested resource. > Ex. Ramesh Nagappan is permitted to speak at BC 2006. Authorization Assertion Attribute Assertion > It identifies the attributes of a subject, especially additional data intended for the service provider. > Ex. Ramesh Nagappan works for Sun Microsystems. Attribute Assertion SAML Assertions 17

Anatomy of SAML Message <saml:assertion xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion" Version="2.0" IssueInstant="2006-08-01T17:50:50.000Z"> <saml:issuer>http://nramesh.east.sun.com/</saml:issuer> <!-- Digital signature of the issuer --> <ds:signature>...</ds:signature> <saml:subject> <saml:nameid format="urn:oasis:names:tc:saml:2.0:nameid-format:persistent"> xyz000181 </saml:nameid> </saml:subject> <saml:authnstatement AuthnInstant="2006-08-01T17:50:30.000Z" SessionIndex="123456"> <saml:authncontext> <saml:authncontextclassref> urn:oasis:names:tc:saml:2.0:ac:classes:passwordprotectedtransport </saml:authncontextclassref> </saml:authncontext> </saml:authnstatement> </saml:assertion> 18

SAML Security How to protect SAML assertions? SAML recommends the use of HTTP over SSL/TLS for ensuring transportlevel security. > Prevents MITM attacks on SAML assertions. SAML supports XML Signature and XML Encryption for ensuring messagelevel confidentiality and integrity. > The SAML constructs can be encrypted and digitally signed before issuing the assertion. 19

SAML Use Case Scenario Single sign-on Authenticate Pro Ac tec ces (SA ted s res ML our As ser c tion e ) SAML Compliant Identity Provider (ex. identityprovider.sun.com) SAML Asserting Party SAML Aware Service Provider (ex. services.ebay.com) SAML Relying Party 20

Biometric SSO Architecture and Design Strategies Identity Provider Makes use of SAML compliant Identity provider to issue SAML assertions. Biometric vendor is configured as an authentication provider. Biometric AuthN Makes use of SAML enabled Biometric authentication provider to issue SAML assertions. > Ex. OpenSAML support > Ex. Java Authentication and Authorization (JAAS) LoginModule. 21

Biometric SSO: Tools of the Trade Identity Provider Infrastructure > > > > > OASIS SAML 2.0 Liberty Phase II JAAS (Java Authentication & Authorization Service) LDAP v3 JSR-196 (Authentication Provider) Biometric Authentication Infrastructure > JAAS LoginModule > OASIS SAML 2.0 > OASIS SPML 2.0 Adapter Identity Provisioning Infrastructure > OASIS SPML 2.0 > OASIS WS-BPEL 1.1 22

Biometric SSO : IdP Strategy Using a SAML compliant Identity Provider J2EE Applications Request Access Biometrics Single/Multi-modal SAML Compliant Identity Provider Infrastructure Perform Authentication Issue SAML Assertion Databases Directories Biometric AuthN Middleware Enterprise Applications * [SAML Asserting Authority] [SAML Relying Authorities] 23

Biometric SSO : Bio AuthN Provider Strategy Using a SAML compliant Biometric Authentication Provider J2EE Applications Request Access* Biometrics Single/Multi-modal SAML compliant Biometric AuthN Middleware Perform Authentication & Issue SAML Assertion Issue SAML Assertion Databases Directories Enterprise Applications * [SAML Asserting Authority] [SAML Relying Authorities] 24

Multi-factor SSO including Biometrics Case study with Sun Java System Access Manager and Biobex [SAML Asserting Authority] [SAML Relying Authority] Sun Java System Access Manager Multi-modal Biometrics Authentication Authorization Single Sign-on Policies Multi-Domain SSO SSL User/Role Pr ofiles Federated SSO SAML Desktops* Assertion * Databases / Directories Audit Logs Smartcard (CAC/PKCS#15) Portal Applications Perform Authentication Chain BiObex Password [Authentication Certificate Authority w/ OCSP Resp. Providers] LDAP Directory / Oracle Database Enterprise Applications * 25

Further References Core Security Patterns > Chris Steel, Ramesh Nagappan & Ray Lai > Special focus on Identity Management using Biometrics and Smartcards > www.coresecuritypatterns.com OASIS SAML 2.0 > www.oasis-open.org/specs/index.php#samlv2.0 Sun Java System Identity Suite > www.sun.com/products/identity/index.jsp Article: Biometric Authentication for J2EE and Web based Applications http://developers.sun.com/prodtech/identserver/reference/techart/bioauthentication.html 26

Biometric Single Sign-on using SAML Architecture and Design Strategies Ramesh Nagappan nramesh@post.harvard.edu www.coresecuritypatterns.com/downloads

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information