Professional Documents
Culture Documents
Geneva Application Security Forum: Vers Une Authentification Plus Forte Dans Les Applications Web"
Geneva Application Security Forum: Vers Une Authentification Plus Forte Dans Les Applications Web"
OpenID
OpenID & SAML
Identity SAML
&Identity
Federation, SuisseID
Federation, SuisseID
SingleAuthentication
Strong Sign
Single-Sign-on On Konzepte
-Strong
Concepts with Servicemit
Authentication
Future Service
Zukunft
&
Geneva Application Security Forum
2010
March 4th 2010
Robert Ott, Master of Science (Honors), CFO
Fredi Weideli, Master of Computer Science, CTO
Robert
clavid ag, Zug Ott
5180
- OpenID Representative Switzerland
- CFO, Clavid AG, Switzerland
Agenda
•SECTION 1 OpenID - What is it? How does it work?
Integration?
G
e
n
e
SECTION 1
SECTION 1
OpenID
> What is it?
> How does it work?
> How to integrate?
G
e
n
e
OpenID - What is it?
G
e
n
e
OpenID - How does it work?
AUTHENTICATION
Identity Provider
e.g. clavid.ch
hans.muster.iid.ch
Identity URL
OpenID=hans.muster.iid.ch e.g. hans.muster.iid.ch
Enabled Service
G
e
n
e
OpenID - How does it work?
4, 4a Identity Provider
e.g. clavid.com
hans.muster.clavid.com 5 6
1 2 Identity URL
Caption https://hans.muster.clavid.com
1. User enters OpenID
2. Discovery
3. Authentication
4. Approval
4a. Change Attributes
5. Send Attributes
6. Validation
Enabled Service
G
e
n
e
OpenID - How does it work?
Step 1: A user decides to use a personalized Internet Service supporting OpenID (e.g.
local.ch). The user clicks on „Login using OpenID“ and enters its OpenID (e.g.
hans.muster.iid.ch).
Step 2: The requested Internet Service converts the OpenID into an URL (
http://hans.muster.iid.ch) and requests this URL in order to receive the Identity
Provider of the user.
Step 2a: In this example, the user has delegated its OpenID to the Identity Provider
clavid.ch.
Step 3: The Identity Provider provides possible authentication methods for that specific
user (in this case “Password”). Having successfully authenticated, the next step
(approval ) is initiated .
Step 4: The user decides on the values of the requested attributes to be provided to the
Internet Service. The Identity Provider usually provides user specific Personas
(attribute templates ) to assist the user in this approval process .
Step 4a: At this point, the user may decide to change attribute values and store them on
the Identity Provider for future approvals for that specific service. Thus, a user can
automate future approvals for specific Internet Services.
Step 5, 6: The attribute values are then signed and communicated from the Identity Provider
to the Internet Service. The Internet Service validates the signature of the provided
attributes and finally accepts the user to be authenticated.
G
e
n
e
OpenID - How does it work?
G
e
n
e
OpenID - How does it work?
G
e
n
e
OpenID - User Centric Identity Management
TOMORROW
? FUTURE
TODAY ?
OpenID Provider Username
Username Password
Password
Username Username
Password Password
G
e
n
e
OpenID - How to Integrate?
Recipe
•Extend the database to map the OpenIDs to the user IDs
•Extend the registration page with an OpenID input field
•Extend the sign in page with an OpenID input field
•Extend the settings page to attach and detach openIDs
G
e
n
e
OpenID - How to Integrate?
Ingredients
•
•A OpenID Consumer Library
•
•
•The Standard OpenID Logos
•
•
•An OpenID Provider to test your site with
G
e
n
e
OpenID - How to Integrate?
OpenID Libraries
•Language Library
C# DotNetOpenId, ExtremeSwank
C++ Libopkele
Java NetMesh InfoGrid LID, OpenID4Java, joid
Python JanRain
PHP Jan Rain, Zend Framework OpenID Component, Saeven.net's JanRain Service
Utility Class, Taral, Simple Class, sfOpenIDPlugin, CakePHP, EasyOpenID,
OpenID For PHP, AuthOpenID Snippet
Coldfusion CFKit OpenID, CFOpenID, OpenID CFC
Apache 2 mod_auth_openid
G
e
n
e
SECTION 2
SECTION 2
SAML
>What is it?
>How does it work?
G
e
n
e
SAML – What is it?
G
e
n
e
SAML – How does it work?
AUTHENTICATION
Redirect with Identity Provider
< Response
Redirect >with
( signed Assertion )>
< AuthnRequest
e.g. clavid.ch
Access
Resource
Enabled Service
G
e
n
e
SAML – How does it work?
3
2
4 Identity Provider
e.g. clavid.ch
4
2
1
6
Enabled Service
G
e
n
e
SAML – How does it work?
Step 1: A user decides to use a personalized Internet Service connected to a SAML based
Identity provider (e.g. Google Business Application Calendar).
Step 2: The Internet Service recognizes that the user is not logged in yet. A SAML
<AuthnRequest> is created and sent via redirect to the Identity Provider.
Step 3: The Identity Provider provides possible authentication methods for that specific user (in
this case “YubiKey” OTP). Having successfully authenticated, the next step is initiated.
Step 4: The Identity Provider creates a SAML <Response> containing the user’s identifier for the
specific target application. Then it signs the SAML <Response> and sends it via a Post-
Redirect to the Internet Services (e.g. Google Calendar)
Step 5: The Internet Service (e.g. Google Apps) verifies the signature of the SAML <Response>
and now knows the user’s identifier provided by the Identity Provider.
Step 6: The Internet Service can now be used by the user.
G
e
n
e
SAML – How does it work?
1) Call Application URL
3) Application Usage
2) Login
G
e
n
e
SECTION 3
SECTION 3
Identity Federation
G
e
n
e
B2B Identity Federation - The Protocol Problem
Company A
Internet Service A
Intranet
Travel
https Proprietary Token Ticket Shop
Internet Service
OpenID B
Document
Management
G
e
n
e
B2B Identity Federation - The Protocol Mess
Company A
Internet Service A
Intranet Proprietary Token
OpenID Travel
Ticket Shop
SAML 1.0
https
Company C
SaaS Applications
Intranet Proprietary Token
OpenID
SAML 1.0
https
SAML 2.0
G
e
n
e
B2B Identity Federation - The Protocol Solution
Company A
Internet Service A
Intranet
Travel
https Ticket Shop
Internet SSO
Biometric (AXSioncs)
SSL Certificates
Recruting
Internet SSO
Company C
SAML 2.0 (OTP) SAML 2.0 SaaS Applications
Intranet
https
https
G
e
n
e
B2B Identity Federation - The Protocol Solution
Company A Company B
Intranet Intranet
https
https
Internet Identity
Provider
Proprietary Token SAML 1.0 Company C
Internet SSO Identity Federation Intranet
Internet SSO
Biometric (AXSioncs)
https
SSL Certificates
(OTP)
https
https
G
e
n
e
SECTION 4
SECTION 4
A Word on SuisseID
G
e
n
e
A Word On SuisseID
G
e
n
e
A Word On SuisseID
G
e
n
e
SECTION 5
SECTION 5
Strong Authentication as a Service
G
e
n
e
OpenID - International Identity Providers
Username/Password
Certificates
Biometric
OTP
G
e
n
e
Clavid Portal for Strong Authentication
G
e
n
e
Clavid Portal - AXSionics
G
e
n
e
Clavid Portal - Yubikey
G
e
n
e
Clavid Portal - Certificates
G
e
n
e
Clavid Portal - One Time Password
OTP Methods:
• OATH HOTP (RFC4226)
• Challenge/Response (RFC2289)
• Mobile OTP (OpenSource Project)
• SMS
• ... others ...
G
e
n
e
Clavid Portal - Personas
G
e
n
e
Clavid Portal - Login Settings
G
e
n
e
Clavid Login Dialog
G
e
n
e
SECTION 6
SECTION 6
Conclusion
>Further References
>Questions & Answers
>Contact Information
G
e
n
e
Further Links: on OpenID
>http://en.wikipedia.org/wiki/List_of_OpenID_providers
>
>http://www.openiddirectory.com/openid-providers-c-1.html
>
G
e
n
e
Conclusion
G
e
n
e
Demo
G
e
n
e
Questions & Answers
G
e
n
e
Contact Information
G
e
n
e