Shibboleth Development and Support Services. OpenID and SAML. Fiona Culloch, EDINA. EuroCAMP, Stockholm, 7 May 2008

Similar documents
OpenID and identity management in consumer services on the Internet

Authentication Methods

Addressing threats to real-world identity management systems

Logout in Single Sign-on Systems

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

SD Departmental Meeting November 28 th, Ale de Vries Product Manager ScienceDirect Elsevier

Information Security Group Active-client based identity management

Authentication Integration

Integrating Multi-Factor Authentication into Your Campus Identity Management System

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

Federated Wikis Andreas Åkre Solberg

OpenLogin: PTA, SAML, and OAuth/OpenID

Symplified I: Windows User Identity. Matthew McNew and Lex Hubbard

The Primer: Nuts and Bolts of Federated Identity Management

Addressing threats to real-world identity management systems

Evaluation of different Open Source Identity management Systems

The Primer: Nuts and Bolts of Federated Identity Management

Adding Federated Identity Management to OpenStack

OPENID AUTHENTICATION SECURITY

Lecture Notes for Advanced Web Security 2015

Shibboleth Identity Provider (IdP) Sebastian Rieger

Service Provider Interface Study

Shibboleth User Verification Customer Implementation Guide Version 3.5

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

Single Sign-On for the Internet: A Security Story. Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

Flexible Identity Federation

StarterPlus Mailbox Software Setup Guide

An Anti-Phishing mechanism for Single Sign-On based on QR-Code

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

Licia Florio Project Development Officer Identity Federations in Europe

Open Source Identity Integration with OpenSSO

QR-SSO : Towards a QR-Code based Single Sign-On system

Case Study: SSO for All: SSOCircle Makes Single Sign-On Available to Everyone

ABFAB and OpenStack(in the Cloud)

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

The Security Framework 4.1 Programming and Design

Implementing Shibboleth at a UK National Academic Data Centre

An Efficient Windows Cardspace identity Management Technique in Cloud Computing

How To Use Saml 2.0 Single Sign On With Qualysguard

Identity Management. Critical Systems Laboratory

Brian Spector CEO, CertiVox. CloudAuthZ

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Shibboleth N-Tier Support. Chad La Joie

OpenID Single Sign On and OAuth Data Access for Google Apps. Ryan Dave Primmer May 2010

Managed Services PKI 60-day Trial Quick Start Guide

The Top 5 Federated Single Sign-On Scenarios

Agenda. How to configure

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

My Private Cloud. Project Objectives

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Federated AAA middleware and the QUT SSO environment

Welcome to ECBuzz.com! Please go through this document carefully to make the experience of owning and using a website an enjoyable one.

Trend of Federated Identity Management for Web Services

Logout Support on SP and Application

Device-Centric Authentication and WebCrypto

Federated Identity Management

External and Federated Identities on the Web

Single Sign On at Colorado State. Ron Splittgerber

Identity Management in Telcos. Jörg Heuer, Deutsche Telekom AG, Laboratories. Munich, April 2008

Enhancing Web Application Security

TRUST AND IDENTITY EXCHANGE TALK

Merit Cloud Media User Guide

Web Based Single Sign-On and Access Control

MIT Tech Talk, May 2013 Justin Richer, The MITRE Corporation

Can We Reconstruct How Identity is Managed on the Internet?

Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 ( )

Integrating Apex into Federated Environment using SAML 2.0. Jon Tupman Portalsoft Solutions Ltd

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Federated Identity Management Technologies and Systems

UK Access Management Federation For Education and Research Operator

Test Case 3 Active Directory Integration

Identity Management Systems A Comparison of Current Solutions

A Shibboleth View of Federated Identity. Steven Carmody Brown Univ./Internet2 March 6, 2007 Giornata AA - GARR

Get a Whiff of WIF Windows Identity Foundation. Keith Brown

SAML Authentication Quick Start Guide

Identity Management. Audun Jøsang University of Oslo. NIS 2010 Summer School. September

The Devil is Phishing: Rethinking Web Single Sign On Systems Security. Chuan Yue USENIX Workshop on Large Scale Exploits

Copyright Pivotal Software Inc, of 10

SAML-Based SSO Solution

Network-based Access Control

Easy as 1-2-3: The Steps to XE. Mark Hoye Services Portfolio Consultant

Using SAML for Single Sign-On in the SOA Software Platform

Federated Identity for Cloud Computing and Cross-organization Collaboration

Digital Identity Management

Creating federated authorisation

Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Issues in federated identity management

ELM Manages Identities of 4 Million Government Program Users with. Identity Server

Lets get a federated identity. Intro to Federated Identity. Feide OpenIdP. Enter your address. Do you have access to your ?

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

HP Software as a Service

How To Create A Mailbox In Windows Mail On A Pc Or Mac Or Ipad (For A Mac)

IBM WebSphere Application Server

Transcription:

OpenID and SAML Fiona Culloch, EDINA EuroCAMP, Stockholm, 7 May 2008

What is OpenID for? In principle, an OpenID is a universal username, valid across multiple, unrelated services E.g., I have fculloch.protectnetwork.org That is an identifier for me Original idea: avoid creating new accounts for every blog, wiki, etc. Use same OpenID for all Driver: blogs, wikis etc. starting to require authn because of comment spam EuroCAMP, Stockholm 7 May 20088 2

How it works (1) Login page provides OpenID edit box in addition to traditional username/password Standardised logo identifies this box to the user User types OpenID, eg, fculloch.protectnetwork.org Converted to http://fculloch.protectnetwork.org User redirected to authentication page at protectnetwork.org, enters password there Protectnetwork.org confirms to original web site that user entered correct password. User now logged in. EuroCAMP, Stockholm 7 May 20088 3

Terminology Relying Party (RP), uses OpenID to authenticate users Analogous to SAML Service Provider (SP) OpenID Provider (OP), is a server identified by an OpenID. OP invoked by RP to find out if the user sitting at the browser knows the password for claimed OpenID Analogous to SAML Identity Provider (IdP) EuroCAMP, Stockholm 7 May 20088 4

Conventions for form field name, logo What is OpenID? An OpenID is the username I type, e.g., fculloch.protectnetwork.org The protocols used between the RP and the OP (all layered on top of HTTP, versions: 1, 2) Transport for user attributes from OP to RP A movement (or bandwagon) A political programme EuroCAMP, Stockholm 7 May 20088 5

What is OpenID not? No association of OpenID with real-world person (bgates.myopenid.org could be anyone) So more like a traditional username (bgates) than an X.509 personal certificate, where a trusted 3 rd party (the CA) vouches for a real-world name, org. No association of user with any organisation c.f. edupersonscopedaffiliation in SAML feds Not authoritative source of organisational EuroCAMP, Stockholm 7 May 20088 6

User-centric identity Political goals OpenID used should be the user s choice, not the RP s (or the OP s) An OpenID should remain usable if the OP goes out of business, changes its name, DNS reassigned etc. Ultimately, it must be possible to operate your own OP rather than relying on an infrastructure provider (e.g., a commercial or campus OP) Lightweight open-source implementations available EuroCAMP, Stockholm 7 May 20088 7

How realistic are those goals? Those user-centric properties are what mainly distinguish the way OpenID is used, but If anyone can create their own OpenIDs, the original problem (comment spam) isn t solved My fculloch.protectnetwork.org Open ID is tied to a particular provider. I could set up fculloch.org instead (indirection is allowed) but It s harder to set up (vs. AOL, Yahoo! free OpenIDs) So most users don t (how many have own EuroCAMP, Stockholm 7 May 20088 8

$64,000 question Will important RPs want to deal with (trust) arbitrary OPs? To date, many more orgs want to be OPs than RPs SourceForge may change this, too soon to tell, note: They require additional registration details You must still create a trad. username/password, for use with non-web services Some potential campus RPs say they won trust arbitrary OPs, want to restrict user to campus OP EuroCAMP, Stockholm 7 May 20088 9

Restricting OP choice breaks model RPs restricting user choice of OP breaks usercentricity RP blacklisting or whitelisting of OPs or individual OpenIDs starts to look a bit like a federation Without free choice, OpenID is just an alternative authn/attribute transfer protocol to SAML (protocol war, yawn!) and a much criticised one at that: Phishing weaknesses Intrinsically unidentified OPs (vs known IdPs in a EuroCAMP, Stockholm 7 May 20088 10

How OpenID differs from federations Trusted 3 rd party Any OP in the world to any (federation) enrols/verifies RP members from specific community SP can authz on user s org. No way to verify any claimed affiliation (epsa) verified by org. affiliation attribute fed (Usually) rules of anarchic membership, attribute standards. Org. verification enables Inherently discloses privacy-preserving temp ids persistent, cross-service id EuroCAMP, Stockholm 7 May 20088 11

Groups of RPs, OPs get together to: agree minimum practices But what if? Whitelist only OPs that meet them (prob. big names) Standardise the attributes used That looks more like a federation. I.e., difference is more social than technical (protocol) If my current OP is not on whitelist, I must move. Can keep same OpenID only if I have set up indirection (unusual, non-trivial). Will users EuroCAMP, Stockholm 7 May 20088 12

What are we (and others) doing? EDINA & University of Kent awarded 7-month study into OpenID, to cover: What OpenID is and is not (also CardSpace) What institutions are doing / plan to do (survey, limited UK-only results to date, European input good) How OpenID relates to SAML feds (specifically UK) Whether OpenID may be relevant to services using licensed data Path from institutionally managed IDs to EuroCAMP, Stockholm 7 May 20088 13

Integrate OpenID with a SAML fed A UK federation IdP using OpenID (any OP) to authenticate its users: edupersonprincipalname attribute conveys OpenID, e.g., fculloch.protectnetwork.org@openidbridge.ac.uk authn only; no user attributes at present Can SP trust bridge IdP? History of trusted national services in UK. Example SP using licensed data, e.g., EDINA LLL An ACL of allowed eppns (so not just OpenIDs) EuroCAMP, Stockholm 7 May 20088 14

Why integrate OpenID & SAML? To allow experimentation with OpenID authn against already deployed SAML SPs To discover appropriate uses for OpenID (e.g., trial user accounts) To avoid diversion of effort into adding OpenID RP support to existing SAML SPs where not required Non-proprietary alternative to existing openaccess IdPs (e.g., ProtectNetwork, TypeKey) for SP testing EuroCAMP, Stockholm 7 May 20088 15

Initial survey feedback Relatively little OpenID familiarity in campuses Few concrete plans for early deployment More interest in campus OP that would allow users outgoing access to blogs etc. + some level of trust at campus RPs (which would only allow campus OP) N.B.: not user-centric! Less interest in correlating arbitrary OpenIDs to real users (e.g. at matriculation or via account linking) I can see what s in it for students, but not for institution EuroCAMP, Stockholm 7 May 20088 16

What are others doing? Significant interest in adding campus OpenID support as plug-in for Shibboleth 2.0 IdP, similarly to other id platforms (ProtectNetwork, OpenAthens, ) Again, note not user-centric Use case is internal access to already OpenID-enabled RP software packages Shibboleth, OpenAthens etc. viewed as protocol-neutral platforms, leaving SAML vs OpenID as protocol war OpenID can be configured w/whitelists (like a federation); SAML can be configured to be promiscuous (like OpenID) Question is how each community will evolve EuroCAMP, Stockholm 7 May 20088 17

OpenID Momentum Momentum was large part of OpenID appeal Perhaps some easing of late as user-centric meets RP requirements Many large, credible commercial OPs: VeriSign, Yahoo!, AOL, Blogger, Fewer large RPs (SourceForge may change game) EuroCAMP, Stockholm 7 May 20088 18

More survey feedback Views on whether OpenID is more or less secure than traditional passwords are not consistent Generally even less familiarity with CardSpace, even at mainly Microsoft shops You can help! Contact us for survey form. EuroCAMP, Stockholm 7 May 20088 19

Contacts s.shaw@ed.ac.uk fiona.culloch@btinternet.com EuroCAMP, Stockholm 7 May 20088 20

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information