Identity Federation: Bridging the Identity Gap Michael Koyfman, Senior Global Security Solutions Architect
The Need for Federation 5 key patterns that drive Federation evolution - Mary E. Ruddy, Gartner The movement of applications out of the enterprise domain The movement of user populations out of the enterprise domain The movement of devices out of the enterprise domain The movement of IAM out of the enterprise domain The movement of the enterprise domain itself F5 Agility 2014 2
Federated Identity What is it? Companies outsource applications and infrastructure at very rapid pace Having each application enforce the authority over user s identity is cumbersome There is no cross-application password synchronization mechanism User s can t easily manage coterminous password expiration across various applications Not all applications can support the same userid format as being primarily used Companies need to provide access to customers and partners without increased headaches of manually managing user accounts and password resets F5 Agility 2014 3
Federated Identity How does it help? Controls identity and access within the enterprise Flexibility to use cloud applications and infrastructure Creates a trust between two entities with industry standards Allows B2B authentication with cloud and SaaS providers Instant termination of authentication upon employee departure No need to duplicate directory everywhere F5 Agility 2014 4
SAML Post vs. Artifact POST binding The user s browser will be in between all communications of the SP and IdP. The user browser acts as an intermediary for the transmission of all messages Disadvantages: All communications are going through the user s browser, so the messages could be intercepted by malicious code on the user s PC. Advantages: Simpler than Artifact binding Artifact binding Partial direct connection between the IDP and the SP. That connection will be leveraged during the <artifactresolve> <artifactresponse> phases, hence avoiding the security risk induced by a middle connection Disadvantages: Requires direct connection between IDP and SP, could lead to firewall/resolution/routing issues to be solved. The communication flow is longer and more complex. Advantages: Communications are considered more secure Does not require direct network connection between IDP and SP F5 Agility 2014 5
OAuth 2.0 Open standard for Authorization OAuth is often described as a valet key for the web Proposed Standard RFC 6749 Key Driver Twitter, Facebook OAuth 2.0 is not compatible with 1.0 OAuth is often described as a valet key for the web F5 Agility 2014 6
SAML 2.0 Using Assertions to Authenticate SAML Assertion is a Token/Cookie used to Auth users (Simplified) Signing the Assertion Encrypting the Assertion (Identity Provider) The device that authenticates the user The device that creates, signs, encrypts and inserts the Assertion The device that redirects the user to the target application with the Assertion SAML SP (Service Provider) The device that redirects the user request to the IdP for authentication The device that consumes the Assertion and validates it The device that redirects the authenticated user to the application 7 F5 Agility 2014 7
SAML Design (Public SP Application) Academic Environment Internet User makes a SAML Supported request for a resource University App DMZ SAML SP Private/Public Cloud Research App F5 Agility 2014 8
SAML Design (Public SP Application) Academic Environment Service provider(sp) application performs IdP Discovery to find out how to authenticate the user University App DMZ SAML SP Private/Public Cloud Research App F5 Agility 2014 9
SAML Design (Public SP Application) APM Detects User s IdP and redirects user to their specific IdP using SP Initiated Post (or Redirect) University App DMZ SAML SP Private/Public Cloud Research App F5 Agility 2014 10
SAML Design (Public SP Application) Internet User makes a SAML Supported request for a resource including the SAML Assertion University App DMZ SAML SP Private/Public Cloud Research App F5 Agility 2014 11
SAML Design (Public SP Application) APM validates the assertion and sends request to Application APM also has the ability to perform LDAP/AD Query for further validation and to set appropriate ACL s based on variables such as: Domain User Device Type Origin Network - Etc University App DMZ SAML SP Private/Public Cloud LDAP Research App F5 Agility 2014 12
Question - How will we detect users IdP - Host - URI - Email - Other - Anything that is constant and predictable can be used for IdP Discovery F5 Agility 2014 13
IDP Discovery Demo
SAML Authenticating to the App without User/Pass SAML Assertion replaces the requirement for Password APM SSO to the Application will be Kerberos (KCD) or Custom Auth via Headers or something similar OWA.customer.com You must understand how the Application identifies the user and creates a session Any mechanism requiring a password will not work NTLM Basic Forms Post Unless the IDP passes original user s password as a parameter and it is valid in context of authenticating to the application then NTLM/Basic/Forms can be used Sharepoint.customer.com Internal Application F5 Agility 2014 15
Exchange Hybrid Federation Scenario User with mailbox on premises login.f5se.com Customer DataCenter User ActiveDirectory CAS Array Azure Cloud 1. User goes to https://mail.f5se.com 2. Exchange SP Virtual send them to IDP login.f5se.com with SAML AuthN request 3. User enters their credentials and authenticates to login service 4. Login responds with SAML Assertion that contains username and password, it gets sent to OWA SP, 5. Exchange SP Policy checks if user is on-premises and forwards to CAS mail.f5se.com F5 Agility 2014 16
Exchange Hybrid Federation Scenario User with mailbox hosted in Office 365 login.f5se.com Customer DataCenter User ActiveDirectory mail.f5se.com CAS Array 1. User goes to https://mail.f5se.com 2. Exchange SP Virtual send them to IDP login.f5se.com with SAML AuthN request 3. User enters their credentials and Azure Cloud authenticates to login service 6. Office 365 sends authentication request to 4. Login responds with SAML Assertion that login.f5se.com contains username and password, it gets 7. Login.f5se.com IDP responds with SAML sent to https://mail.f5se.com assertion(user has already authenticated to 5. Exchange SP Policy determines user is it in step 3) and user is signed on to OWA hosted in Office 365 and redirects them to in the Office 365 F5 Agility 2014 https://outlook.com/owa/f5se.com 17
SAML- Federating APM s Authentication to the App (With and Without Password) Data Center 1 Client successfully logs on to an Internal Application where the APM VIP Requires SAML Authentication Login.customer.com Users Portal.customer.com Private/Public Cloud OWA.customer.com Sharepoint.customer.com Internal Application F5 Agility 2014 18
SAML- Federating APM s Authentication to the App (With and Without Password) Data Center 1 The BIG-IP VIP should be configured to redirect to the Corporate Login.customer.com Users Portal.customer.com Private/Public Cloud OWA.customer.com Sharepoint.customer.com Internal Application F5 Agility 2014 19
SAML- Federating APM s Authentication to the App (With and Without Password) An SP Initiated Post is sent back to the client in the form of a redirect to the IdP (https://login.f5se.com) Data Center 1 Login.customer.com Client is presented with a Username/Password Form from the IdP (Including 2 factor based on policy) Users Portal.customer.com Private/Public Cloud OWA.customer.com Sharepoint.customer.com Internal Application F5 Agility 2014 20
SAML- Federating APM s Authentication to the App (With and Without Password) The APM Policy is run to Authenticate the user against their user store Data Center 1 Login.customer.com The user browser is presented with a SAML Assertion Users Portal.customer.com Private/Public Cloud OWA.customer.com Sharepoint.customer.com Internal Application F5 Agility 2014 21
SAML- Federating APM s Authentication to the App (With and Without Password) Data Center 1 Client is redirected to the VIP and APM successfully logs the user on to an Internal Application Login.customer.com Users Portal.customer.com Private/Public Cloud OWA.customer.com Sharepoint.customer.com Internal Application F5 Agility 2014 22
SAML- Federating APM s Authenticationg to the App (With and Without Password) Let s look at how the Applications create Session: OWA authenticates Users via Kerberos so no Password is required Sharepoint uses NTLM. F5 APM as an IdP can be configured to insert session.logon.last.password into the Assertion as a SAML Variable. The APM functioning as SP can use this when creating the Session for the user The Internal Application authenticates the user via HTTP Header and trusts the BIG-IP The variable ${session.logon.last.password} is not required to be inserted by the IdP for use at the SP F5 Agility 2014 23
Demo Authenticating to Sharepoint using SAML on the front and NTLM to the server
SAML SLO Single LogOut Initiated from APM As SP: Final Logout 9 Post is done to logout URL in IdP connector As IdP: 8 5 Logout RSP SP2 Logout RSP1 Logout RQ SP2 6 IDP Post is done to logout URL in SP connectors Users 1 Logout URL Done whenever my.logout.php3 URL is encountered Logout SP1 2 Initiated from Elsewhere APM as SP: 3 Logout RQ1 Logout RSP1 4 SP1 We kill the session, and do a POST to response URL in IdP connector As IdP: We kill the session, and do a POST to response URL in SP connector 6 Logout RQ SP2 Logout RQ SP2 7 SP2 F5 Agility 2014 25
Putting it all together
SAML Lab Overall Use Cases Users Login.customer.com Active Directory Portal.customer.com Data Center 2 Private/Public Cloud OWA.customer.com SaaS - PaaS Business Partners Sharepoint.customer.com ADFS Internal Application F5 Agility 2014 27