FederatedSecurity - 91-514-201-s2010

advertisement
Will Darby
91.514
5 April 2010
 What
is Federated Security
 Security Assertion Markup Language
(SAML) Overview
 Example Implementations
 Alternative Solutions for the Internet
Business
Agreement
 Multi-organization
collaboration
common
 Accounts generally
maintained by one
organization
 Grant access for
externally
authenticated users
Home
Organization
Authenticate
User
Remote
Organization
Access
Resources
 Authentication – Verifying user identity and
permissions
 Authorization – Permitting resource access based
on identity or attribute
 Identity
Provider (IdP) – Entity performing
authentication
 Service
Provider (SP) – Entity allowing
authorized resource access
 Role-Based
Access Control – Authorization
based on user attributes rather than identity
 Building
block for Federated Security
 Public Key Cryptography – Sign and encrypt
data without shared secret
 Public/Private
Keys – Complementary tokens
employed by PKI
 Digital
Signatures – Enables provable message
authenticity and integrity
 Message
Encryption – Enables message
confidentiality over public networks
 Separation
of authentication from
authorization
 Direct resource access
• No fixed content gateway
 Eliminate external account management
• Organizations maintain user accounts and attributes
 User identity protection
• Authorization based on user attributes or
pseudonyms
 Decouple security implementations
• PKI exchange between organizations
• Internet-scalable solution
 First
large-scale Federated Security solution
 Secures web sites and web applications
 Implements Security Assertion Markup
Language (SAML) standard
 Initially developed for research and higher
education
•
•
•
•
Research collaboration
Academic information providers
Outsourced employee applications
Extended user populations
 Open
source project
 Attributes
assigned to user accounts
 Represent group affiliation or user
privilege
• No predefined semantics by Shibboleth
• Semantic agreement among participants
• Federation and two-party arrangements
 Bundled
with resource requests
• Authenticated by IdP
• Basis of resource authorization by SP
Source: “Web Single Sign-On Authentication using SAML”
 Based
on SAML Web Browser SSO Profile
 Standard browser request, e.g. GET
 Where-Are-You-From service locates IdP
 User browser redirected to IdP
• Automated with JavaScript or manually invoked
 IdP
specific identity verification
 Digitally signed security assertions
 Browser session enables single sign-on
 Authorize
users
across all grids nodes
 Minimal changes to
existing security
 Registry to map
credentials to
authority
 Assertions passed
among servers
Source: “An Approach for
Shibboleth and Grid Integration”
 Anonymous
agents require user
permissions
 Delegation permits privilege assignment
 User has right to manage delegation
 Delegated entity requests resource on
user behalf
 IdP translates user ids across domains
Source: “A Delegation Framework for Federated Identity Management”
 Declare
Statements regarding subject
• Method of authentication
• Associated with attributes
• Authorization to access resource
 Specifies
issuer (SAML authority)
 Conditions for time and audience
 Advice assertions supporting evidence
and updates
 Encoding defined by XML schema
 One
means to exchange SAML assertions
 SAML profiles define other options
 Queries
• Authentication return authentication details
• Attribute return attributes for subject
• AuthorizationDecision determine resource
operation permission
 Responses
• Status of query
• Verified Assertions requested by query
Web Service
Client
Identity Provider
2a. Authenticate
User
2b. Create SAML
Assertion
Service
Provider
5a. Verify
Assertion
5b. Package
Resource
 SAML
protocol retrieves assertions
 Client requests required assertions
 SOAP-based web service
 WS-Security encodes SAML assertion
 XML
Signature – Digital signatures, e.g. sign
assertions
 XML
Encryption – Encrypt payload
 WS-Security – SOAP encoding of assertions
 WS-Policy – Describes service security policy, e.g.
assertions required
 WS-Trust – Alternate protocol to obtain assertions
 Open
source Java and C++ SAML
libraries
 SAML Assertion and Protocol support
 Basis of current Shibboleth
implementation
 Version 2 supports SAML v1.0, v1.1 and
v2.0
 Developed
for Blogging community
 User-centric identity management
• Choice of digital address (id)
• Select identity provider
 Discover
IdP from identity URL
 Google Account APIs implementation
Source: “OpenID 2.0: A Platform for User-Centric Identity Management”
 Delegate
access to protected resources
 No use of private credentials by client
 Differentiates client from resource owner
 Server validates authorization and client
 Google Account APIs implementation
Jane
(Resource
Owner)
Adapted from:
“The OAuth 1.0
Protocol”
0a. GetClientCredentials
0b. ClientCredentials
Printer Web Site
(Client)
2. Register callback
3. ok
8. Request token
9. ok
10. Get resource
11. resource
Photos Web Site
(Server)



R.L. Morgan, S. Cantor, S. Carmody, W. Hoehn and K.
Klingenstein. “Federated Security: The Shibboleth
Approach.” EDUCAUSE Quarterly, Volume 27, Number 4,
2004. Pages 12-17. Available at:
http://net.educause.edu/ir/library/pdf/EQM0442.pdf.
K.D. Lewis and J.E. Lewis. “Web Single Sign-On
Authentication using SAML.” International Journal of
Computer Science Issues. Volume 2, 2009. Pages 41-48.
Available at: http://www.ijcsi.org/papers/2-41-48.pdf.
“Security Assertion Markup Language (SAML) V2.0
Technical Overview.” OASIS Security Services Technical
Committee. March, 2008. Available at: http://www.oasisopen.org/committees/download.php/27819/sstc-saml-techoverview-2.0-cd-02.pdf.




H. Gomi, M.Hatakeyama, S.Hosono and S. Fujita. “A
Delegation Framework for Federated Identity Management.”
Proceedings of the 2005 workshop on Digital identity
management. Pages 94-103.
F. Pinto and C. Fernau. “An Approach for Shibboleth and
Grid Integration.” Proceedings of the UK e-Science All
Hands Conference, 2005. Available at:
http://www.allhands.org.uk/2005/proceedings/papers/531.
pdf.
D. Recordon and D. Reed. “OpenID 2.0: A Platform for UserCentric Identity Management.” Proceedings of the second
ACM workshop on Digital Identity Management, 2006. Pages
11-16.
E. Hammer-Lahav. “The OAuth 1.0 Protocol.” IETF Internet
Draft. February, 2010. Available at:
http://tools.ietf.org/html/draft-hammer-oauth-10.
Download