User Authentication for
Enterprise Applications - The
Future in Transitions
2
Thesis
• Well-managed, trustworthy authentication and
authorization are important today and will be
vital in the future
• Moving the authentication and authorization
functions to the Web layer allows rapid
deployment of newer tools and technologies
• The services needed are largely available today,
and will be complete within 18 months
• The work must now shift to the applications and
business processes
3
Agenda
• Trends in User Authentication
• NUIT Plan
• How Should Applications Prepare?
• Transitions
• Wrap-up
4
Agenda
• Trends in User Authentication
• NUIT Plan
• How Should Applications Prepare?
• Transitions
• Wrap-up
5
Trends in User Authentication
• Defining clear business rules for identity
creation and lifecycle management
• Requiring stronger passwords
• Requiring multi-factor authentication for
high-value transactions
• Moving to universal identity tokens and
federated domains
Business Rules for Identity
Lifecycle Management
• Document the necessary and sufficient
conditions for identity creation
• Define the lifecycle and especially what
authorizations are granted and revoked at
each transition
• Grant authorizations in manners that fit
business goals and minimize risks
• Log and audit the management processes
6
7
Stronger Passwords
• Password cracking technology is
advancing beyond our ability to remember
passwords
• Because attacks are automated, risks are
greater and defenses must be stronger
• Passwords must become longer and more
complex.
8
Stronger Passwords
Number of
characters
6
A..Z
5 mins
A..Z, a..z A..Z, a..z, 0..9,
symbols
6 hrs
8 days
8
58 hrs
21 mons
196 yrs
10
5 yrs
4648 yrs
1.7M yrs
• Assumes 1M password tests per second
• Stated figures are 100% surety, 50% would be half, 25% one-quarter, etc.
• Source: http://lastbit.com/pswcalc.asp
9
Multi-Factor Authentication
• Factors: something you …
–
–
–
–
Know (passwords)
Have (swipe card, USB token)
Are (thumbprint, handprint, retinal pattern)
Do (typing pattern, walking gait)
• How many factors are needed to be POSITIVE
that the attempted access is by the real person?
– What is the risk of being wrong?
– What is the inconvenience?
10
Universal Identity and Federation
• If multi-factor authentication is needed then
everyone should have two or more factors
available
• Certification attests to the level of confidence
which a third party puts into the association of a
factor to a particular person
• Federation is not giving another institution
access to our authentication services, it is based
upon trust in our assertions of authentication.
That trust is built upon their knowledge of our
identification and management practices
11
Agenda
• Trends in User Authentication
• NUIT Plan
• How Should Applications Prepare?
• Transitions
• Wrap-up
12
NUIT Plan
• Single identity for each person
• Remove authentication from applications and
place it in the surrounding service environment
• Four network-wide authentication services but
only one and one-half authorization services
• Workflow-based identity management
• Federated authentication
• Smartcards, USB tokens, etc.
13
Four Services
• LDAP 3.x: authentication and authorization
attributes
• MSFT Active Directory: authentication and
some authorization attributes
• MIT Kerberos 5: authentication
• Web SSO: authentication and coarsegrained access control through LDAP
authorization attributes
14
Agenda
• Trends in User Authentication
• NUIT Plan
• How Should Applications Prepare?
• Transitions
• Wrap-up
15
How Should Applications Prepare?
• Move user authentication into the Web
server
• Use identity management workflow to
control access to the application
• Use institutional roles or other attributes
for coarse-grained access control
• Optional: Employ first-access provisioning
to simplify management of user profiles
within the application
16
Authenticating at the Web Server
• Applications must give up internal
passwords and programming logic to
check NetID passwords
• Moving this function to the Web server
level allows new functions (Web SSO) to
be deployed without wide-spread effects
• If the application is invoked, then the user
was successfully authenticated
17
Approve Access Through IdM
• The Identity Management (IdM) system
must know if a NetID has been granted
access to an enterprise application.
• Using IdM-based workflow to request,
authorize, approve and grant access can
support this easily.
• The IdM system can enforce business
rules subject to entitlements granted.
18
Coarse-Grained Access Control
• Through Web SSO and access rules, any
NetID attribute can be used to allow or
deny access to an application Web page.
– Role: “faculty”, “employee”
– Entitlement: “access to HRIS”
• Session environment can also be used
– IP address
– Level of authentication
19
First-Access Provisioning
• Avoid provisioning user profiles within the
application until the user attempts access.
• Recognizing no user profile exists:
– Invoke an IdM workflow to request access
– Create a place-holder profile and allow
access
– Automatically create a profile from attribute
information (institutional roles)
• Result: savings in administrative time
20
Agenda
• Trends in User Authentication
• NUIT Plan
• How Should Applications Prepare?
• Transitions
• Wrap-up
E-mail &
workflow
ID & Role
Maintenance
Authentication
& Authorization
Session set-up
Processing
Step
1
21
Application
Database
User
profiles
Administrator
Step
2
22
Session set-up
Processing
Application
Authority
Database
User
profiles
LDAP Registry
E-mail &
workflow
ID & Role
Maintenance
Authentication
& Authorization
Identity Management
System
Administrator
Step
3
23
Application
Session set-up
Processing
Web Server
Authority
Database
User
profiles
E-mail &
workflow
ID & Role
Maintenance
LDAP Registry
Authorization
Authentication
Identity Management
System
Administrator
Step
4
24
Web SSO
Web Server
Access Control
System
Session set-up
cookie
Processing
Access policy
database
Application
Authority
Database
User
profiles
E-mail &
workflow
ID & Role
Maintenance
LDAP Registry
Authorization
Authentication
Identity Management
System
Administrator
Step
5
25
Web SSO
Web Server
Authority
Session set-up
Access Control
System
Authorization
cookie
Processing
Access policy
database
Application
Database
User
profiles
LDAP Registry
E-mail &
workflow
ID & Role
Maintenance
Authentication
Identity Management
System
Administrator
Step
6
26
Web SSO
Web Server
Authority
Session set-up
Access Control
System
Authorization
cookie
Processing
Access policy
database
Application
Database
User
profiles
LDAP Registry
E-mail &
workflow
ID & Role
Maintenance
Authentication
Identity Management
System
Administrator
Step
7
27
Web SSO
Web Server
Authority
Session set-up
Access Control
System
Authorization
cookie
Processing
Access policy
database
Application
Database
User
profiles
Authentication
Identity Management
System
LDAP Registry
Role engine
E-mail &
workflow
Administrator
Step
8
28
Web SSO
Web Server
Session set-up
First-access
provisioning
Authority
Authorization
Access Control
System
Authentication
cookie
Processing
Access policy
database
Application
Database
User
profiles
Identity Management
System
LDAP Registry
Role engine
E-mail &
workflow
Administrator
Step
9
29
Web SSO
Card
management
Web Server
Session set-up
First-access
provisioning
Authority
Authorization
cookie
Access Control
System
Authentication
Smart card
Processing
Access policy
database
Application
Database
User
profiles
Identity Management
System
LDAP Registry
Role engine
E-mail &
workflow
Administrator
30
Agenda
• Trends in User Authentication
• NUIT Plan
• How Should Applications Prepare?
• Transitions
• Wrap-up
31
Wrap-Up
• “Abstraction” frees the application from
any particular authentication technology
• Identity workflow orders the approval
process, allows audit controls, and flags
the user’s identity for other business rules
• First-access provisioning saves time and
effort for the application administrator
• Just as secure, with just as much control,
just using different tools
Questions?
Tom Board
teb@northwestern.edu
847-467-4120