Federated Identity Management



Similar documents
Federated Identity Management

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase

TIB 2.0 Administration Functions Overview

Logout Support on SP and Application

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

HP Software as a Service. Federated SSO Guide

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

Provisioning and deprovisioning in an identity federation

Authentication and Single Sign On

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

SAML-Based SSO Solution

Agenda. How to configure

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Introducing Shibboleth

SAML Federated Identity at OASIS

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

SAML SSO Configuration

Flexible Identity Federation

A Federated Authorization and Authentication Infrastructure for Unified Single Sign On

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

HP Software as a Service

SAML-Based SSO Solution

Perceptive Experience Single Sign-On Solutions

How Single-Sign-On Improves The Usability Of Protected Services For Geospatial Data

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services

Extending DigiD to the Private Sector (DigiD-2)

Implementation Guide SAP NetWeaver Identity Management Identity Provider

The increasing popularity of mobile devices is rapidly changing how and where we

How To Use Saml 2.0 Single Sign On With Qualysguard

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

The Top 5 Federated Single Sign-On Scenarios

Owner of the content within this article is Written by Marc Grote

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

Connected Data. Connected Data requirements for SSO

Canadian Access Federation: Trust Assertion Document (TAD)

Shibboleth User Verification Customer Implementation Guide Version 3.5

Web Based Single Sign-On and Access Control

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

Improving Security and Productivity through Federation and Single Sign-on

Federation Operator Practice (FOP): Metadata Registration Practice Statement

SAML Authentication within Secret Server

Configuring EPM System for SAML2-based Federation Services SSO

Get Cloud Ready: Secure Access to Google Apps and Other SaaS Applications

MONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY. ASR 2006/2007 Final Project. Supervisers: Maryline Maknavicius-Laurent, Guy Bernard

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

PARTNER INTEGRATION GUIDE. Edition 1.0

SAML and OAUTH comparison

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Salesforce1 Mobile Security Guide

OpenSSO: Cross Domain Single Sign On

This way, Bluewin will be able to offer single sign-on for service providers within the circle.

Authentication Methods

T his feature is add-on service available to Enterprise accounts.

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

IBM WebSphere Application Server

Canadian Access Federation: Trust Assertion Document (TAD)

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

Security Assertion Markup Language (SAML) Site Manager Setup

SAML Security Analysis. Huang Zheng Xiong Jiaxi Ren Sijun

Copyright: WhosOnLocation Limited

Federated Identity Management Solutions

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

SAP NetWeaver AS Java

Getting Started with Single Sign-On

WebNow Single Sign-On Solutions

Single Sign-On for the UQ Web

External and Federated Identities on the Web

Configuring. Moodle. Chapter 82

Identity and Access Management for Federated Resource Sharing: Shibboleth Stories

Single Sign-On: Reviewing the Field

Spring Security SAML module

IGI Portal architecture and interaction with a CA- online

Mobile Security. Policies, Standards, Frameworks, Guidelines

SAML Security Option White Paper

Egnyte Single Sign-On (SSO) Installation for OneLogin

Shibboleth N-Tier Support. Chad La Joie

IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>

Evaluation of different Open Source Identity management Systems

Configuring SAML2 for Single Sign On to Smartsheet (Enterprise Only)

Get Success in Passing Your Certification Exam at first attempt!

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Compass Security. [The ICT-Security Experts] SAML 2.0 [Beer Talk Berlin 2/16/2016] Stephan Sekula

Shibboleth Authentication. Information Systems & Computing Identity and Access Management May 23, 2014

User and Machine Authentication and Authorization Infrastructure for Distributed Wireless Sensor Network Testbeds

SAML Authentication Quick Start Guide

Negotiating Trust in Identity Metasystem

ELM Manages Identities of 4 Million Government Program Users with. Identity Server

Logout in Single Sign-on Systems

Transcription:

Federated Identity Management SWITCHaai Introduction Course Bern, 1. March 2013 Thomas Lenggenhager aai@switch.ch

Overview What is Federated Identity Management? What is a Federation? The SWITCHaai Federation Interfederation Conclusions 2

Federated Identity Older mechanisms assume applications are within the same administrative domain Adding a user from outside means creating an account within your IdM system. This could result in the new user having access to more than just the intended application. Simple technical solutions based on domain cookies Federated Identity Management (FIM) securely shares information managed at a users home organization with remote services. Within FIM systems it doesn t matter if the service is in your administrative domain or another. It s all handled the same. More advanced technical solutions required! è SAML2 SAML = Security Assertion Markup Language 3

Federated Identity (2) In Federated Identity Management: Identity Providers (IdP) asserts authentication and identity information about users Service Providers (SP) check and consume this information for authorization and makes it available to an application An IdP or SP is generically known as an entity The first principle within federated identity management is the active protection of user information Protect the user s credentials only the IdP ever handles the credential Protect the user s identity information, including identifier customized set of information released to each SP 4

What does FIM do for me? Reduces work Authentication-related calls to Penn State University s helpdesk dropped by 85% after they installed Shibboleth Provides current data Studies of applications that maintain user data show that the majority of data is out of date. Are you protecting your app with stale data? Insulation from service compromises In FIM data is pushed to services as needed. If those services are compromised the attacker can t get everyone s data. Minimize attack surface area Only the IdP needs to be able to contact user data stores. All effort can be focused on securing this one connection instead of one or more connections per service. 5

Some other gains Users generally find the resulting single sign-on experience to be nicer than logging in numerous times. Consistent authentication process regardless of the service accessed. Usability-focused individuals like that. A properly maintained federation drastically simplifies the process of integrating new services. 6

What is a Federation? A group of organizations running IdPs and SPs that agree on a common set of rules and standards An organization may belong to more than one federation at a time The grouping can be on a regional level (e.g. SWITCHaai) or on a smaller scale (e.g. large campus) IdPs and SPs "know" nothing about federations They read metadata! 7

What are these rules of which you speak? Technical Interoperability Supported protocols User authentication mechanisms User attribute specifications Accepted X.509 server certificates Legal Interoperability Membership agreement or contract Federation operation policies Requirements on identity management practices Others Common/best operational practices http://switch.ch/aai/bcp 8

What does a Federation do? At a minimum a federation maintains the list of which IdPs and SPs are in the federation Most federations also define agreements, rules, and policies provide some user support (documentation, email list, etc.) operate a central discovery service and test infrastructure Some federations provide self-service tools for managing IdP and SP data provide application integration support host or help with outsourced IdPs provide tools for managing "guest" users develop custom tools for the community http://switch.ch/aai/idp-hosting http://switch.ch/aai/vho 9

Federation Metadata An XML document that describes every federation entity Contains Unique identifier for each entity known as the entityid Endpoints where each entity can be contacted Certificates used for signing and encrypting data May contain Organization and person contact information Information about which attributes an SP wants/needs Metadata is usually distributed by a public HTTP URL The metadata should be digitally signed Bilateral metadata exchange scales very badly Metadata must be kept up to date so that New entities can work with existing ones Old, or revoked, entities are blocked http://switch.ch/aai/metadata 10

SWITCHaai Federation (1) SWITCH consults with two bodies Advisory Committee deals with policies and legal framework Community Group deals with technical/operational issues Two classes of SWITCHaai Participants SWITCH Community Organization fits the definition from the SWITCH Service Regulations Federation Partner Organization sponsored by a SWITCHaai Participant from the SWITCH Community http://switch.ch/aai/about/federation/ 11

SWITCHaai Federation (2) SWITCH operates the SWITCHaai Federation AAI is a Basic Service for the SWITCH Community 12

SWITCHaai: Rules, Policies, & Agreements SWITCHaai Service Description (includes the Policy) concepts and rules for all entities in the federation http://switch.ch/aai/docs/switchaai_service_description.pdf Federation Partner Agreement legal contract between SWITCH and federation partner Certificate Acceptance Policy policy certificates accepted by the federation AAI Attribute Specification minimum set of core and optional attributes supported by federation entities http://switch.ch/aai/docs/aai_attr_specs.pdf 13

SWITCHaai: The Legal Framework Federal Law, Cantonal Law! (e.g. data protection)! SWITCHaai Service Description! (includes Policy)! SWITCH! Service Regulations! Federation Partner Agreement & GTC! Org 1! Org 2! Org...! Org n! User Regulations! User Regulations! User Regulations! SWITCH Community! Federation Partners! 14

SWITCHaai & Interfederation http://switch.ch/aai/interfederation 15

Conclusions Federated Identity Management provides scalable, protected access to services also in other administrative domains supports data protection by releasing only personal data as required by the SP separates responsibilities for authentication and authorization is based on a set of rules and guidelines to support trust 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information