Biometric Single Sign-on using SAML
Transcript of Biometric Single Sign-on using SAML
![Page 1: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/1.jpg)
Ramesh Nagappan [email protected]
Biometric Single Sign-onusing SAMLArchitecture & Design Strategies
1
![Page 2: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/2.jpg)
2Biometrics Consortium 2006
Setting Expectations
• Understand the importance of Single Sign-On (SSO) and its role in enterprise IT applications.
• Get introduced to SAML standard for enabling SSO with Biometric authentication.
• Understand the Architecture and Strategies for implementing Biometric SSO using SAML.
• How to build Multifactor SSO using Biometrics in enterprise IT applications.
What you can take away !
![Page 3: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/3.jpg)
3Biometrics Consortium 2006
Agenda
• The State of the Industry> CIO Headaches> Identity Management - Promises> Single Sign-on : SAML to the rescue
• The role of SAML in Biometric SSO> Anatomy of SAML> SAML use cases> How it works
• Biometric SSO: Architecture & strategies> Tools of the Trade> Implementation Strategies> Multi-factor SSO using Biometrics
![Page 4: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/4.jpg)
4Biometrics Consortium 2006
Information is Everywhere Growing Exponentially – Thanks to Internet and Open Standards
![Page 5: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/5.jpg)
5Biometrics Consortium 2006
Virtual EnterpriseWeb based Application Proliferation
Internet
![Page 6: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/6.jpg)
6Biometrics Consortium 2006
Multiple Sign-on: Authentication Silos
![Page 7: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/7.jpg)
7Biometrics Consortium 2006
Information Security, Compliance and User Experience
The CIO Headaches
• Drive business innovation✔ Protect corporate information✔ Improve customer experience✔ Enable regulatory compliance• Streamline the IT operations
![Page 8: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/8.jpg)
8Biometrics Consortium 2006
Security Requires a Delicate BalanceConsistent user experience without sacrificing security
Height of Fences? Ease of Access?
How much you can balance – Security vs. User experience ?
![Page 9: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/9.jpg)
9Biometrics Consortium 2006
SecurityPeople
Security and Identity ManagementBringing Together People and Information Security
● Authentication● Authorization● Auditing
• Confidentiality • Integrity• Availability
![Page 10: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/10.jpg)
10Biometrics Consortium 2006
The Promise of Identity Management
• Standardized Platform for managing Identity life-cycle of an organization and its partners
• Single sign-on (SSO) access to disparate resources within an enterprise and beyond organizational boundaries.> SSO and Cross-domain SSO based authentication and authorization> Enhance security with Multi-factor based strong authentication> Extend access to trusted partnerships via Federated SSO over Internet
• Centralized or distributed policy enforcement
• Track and audit authentication and authorization events.
• Provisioning and De-provisioning users on-demand
• Compliance Reporting
Identity Management is Key to a Successful Security Strategy
Why it is important ?
![Page 11: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/11.jpg)
11Biometrics Consortium 2006
Single Sign-on : In reality
Identity Management is Key to a Successful Security Strategy
Single sign-on offersConsistent User experience& Enhanced Security
Allow access to disparateresources with Strong authentication
![Page 12: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/12.jpg)
12Biometrics Consortium 2006
Enabling Biometric SSO: ChallengesCommon development challenges ?
• How to enable Biometric callbacks in Web based applications. > Representing device callbacks without client-side dependencies.> How to ensure confidentiality and integrity of biometric samples in transit.
• How to identify and verify the client origin host ?> Identifying spoofed connections, message replay attack and session hijacks.
• How to manage user sessions, idle time and single logout ?
• How to initiate authentication and share state within a Multifactor authentication session ?
• How to avoid multiple sign-on scenarios ?> Propagating security context within trust boundaries and avoid re-authentication.
• How to perform biometric enrollment in a registration workflow ?
![Page 13: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/13.jpg)
13Biometrics Consortium 2006
Introducing SAML
• Security Assertions Markup Language• Open XML Standard protocol for
exchanging authentication and authorization information> OASIS approved Industry-standard.> Designed for SSO, Multi-domain SSO and Federation> SAML 2.0 allow use of SAML in devices, support session
management in Web applications.
• Promotes Interoperability among Identity Providers and Service providers.
• SAML is used by other industry-standards – Liberty Alliance, OASIS WS-Security and Shibboleth.
Overview
![Page 14: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/14.jpg)
14Biometrics Consortium 2006
SAML Adoption
• Web Single sign-on (SSO)> SAML enables SSO through exchanging authentication assertions.> SSO can be part of single or multiple autonomous domains.
• Federated Identity> Establish Federated Identity sharing between trusted partners.
• Attribute-Based Authorizations> Communicate Identity information about a subject from Web site to another.
• Securing Web Services> SAML assertions can be used within SOAP Messages.> OASIS WS-Security TC has defined a SAML Profile to support use of SAML.
How is SAML being used ?
![Page 15: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/15.jpg)
15Biometrics Consortium 2006
Anatomy of SAMLCore components• SAML Assertions
> A set of one or more statements made by a SAML Authority/Identity provider.
• SAML Protocols> Define Request/Response protocols to support
exchanging assertions. > Ex. Authentication Request, Single Logout
• SAML Bindings> Defines how SAML can be communicated using
standard protocols. (ex. HTTP, SOAP)
• SAML Profiles> Defines the usage of SAML for an application.> Ex. Web Browser SSO Profile
Profile
Bindings
Protocols
Assertions
Anatomy of SAML
![Page 16: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/16.jpg)
16Biometrics Consortium 2006
Anatomy of SAML... contd.Environment specific components
• SAML Metadata> Defines how a SAML entity describe its configuration data.
• Authentication Context> Defines the type and strengths of authentication requirements.> What authentication processes are enforced before issuing the assertion.
(Ex. Using Multi-factor authentication)
![Page 17: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/17.jpg)
17Biometrics Consortium 2006
SAML AssertionsSAML Assertions are statements issued by a SAML Authority
• Authentication Assertion > SAML statement that represents a successful
authentication performed on a subject (Service requestor).
• Authorization Decision Assertion> It represents an authorization decision that subject is
allowed to access a requested resource.> Ex. Ramesh Nagappan is permitted to speak at BC
2006.
• Attribute Assertion> It identifies the attributes of a subject, especially
additional data intended for the service provider.> Ex. Ramesh Nagappan works for Sun Microsystems.
SAML Assertion
“Authentication
Assertion
AuthorizationAssertion
SAML Assertions
AttributeAssertion
![Page 18: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/18.jpg)
18Biometrics Consortium 2006
Anatomy of SAML Message <saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0"
IssueInstant="2006-08-01T17:50:50.000Z">
<saml:Issuer>http://nramesh.east.sun.com/</saml:Issuer>
<!-- Digital signature of the issuer -->
<ds:Signature>...</ds:Signature>
<saml:Subject>
<saml:NameID
format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
xyz000181 </saml:NameID>
</saml:Subject>
<saml:AuthnStatement
AuthnInstant="2006-08-01T17:50:30.000Z"
SessionIndex="123456"> <saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
![Page 19: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/19.jpg)
19Biometrics Consortium 2006
SAML SecurityHow to protect SAML assertions ?
• SAML recommends the use of HTTP over SSL/TLS for ensuring transport-level security.> Prevents MITM attacks on SAML assertions.
• SAML supports XML Signature and XML Encryption for ensuring message-level confidentiality and integrity.> The SAML constructs can be encrypted and digitally
signed before issuing the assertion.
![Page 20: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/20.jpg)
20Biometrics Consortium 2006
SAML Use Case ScenarioSingle sign-on
SAML CompliantIdentity Provider
(ex. identityprovider.sun.com)SAML Asserting Party
SAML AwareService Provider
(ex. services.ebay.com)SAML Relying Party
Authenticate
AccessProtected resource
(SAML Assertion)
![Page 21: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/21.jpg)
21Biometrics Consortium 2006
Identity Provider Biometric AuthN
Biometric SSOArchitecture and Design Strategies
• Makes use of SAML compliant Identity provider to issue SAML assertions.• Biometric vendor is
configured as an authentication provider.> Ex. Java Authentication and
Authorization (JAAS) LoginModule.
• Makes use of SAML enabled Biometric authentication provider to issue SAML assertions.> Ex. OpenSAML support
![Page 22: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/22.jpg)
22Biometrics Consortium 2006
Biometric SSO: Tools of the Trade
• Identity Provider Infrastructure> OASIS SAML 2.0> Liberty Phase II> JAAS (Java Authentication & Authorization Service)> LDAP v3> JSR-196 (Authentication Provider)
• Biometric Authentication Infrastructure> JAAS LoginModule> OASIS SAML 2.0> OASIS SPML 2.0 Adapter
• Identity Provisioning Infrastructure> OASIS SPML 2.0> OASIS WS-BPEL 1.1
![Page 23: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/23.jpg)
23Biometrics Consortium 2006
Biometric SSO : IdP Strategy Using a SAML compliant Identity Provider
Biometric AuthN
Middleware
Databases
Enterprise Applications *
Biometrics
Single/Multi-modal
SAML Compliant
Identity Provider Infrastructure
Directories
J2EE Applications
Issue SAML
AssertionRequest
Access
[SAML RelyingAuthorities]
[SAML AssertingAuthority]
Perform
Authentication
![Page 24: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/24.jpg)
24Biometrics Consortium 2006
Biometric SSO : Bio AuthN Provider StrategyUsing a SAML compliant Biometric Authentication Provider
SAML compliant
Biometric AuthN
MiddlewareDatabases
Enterprise Applications *
Biometrics
Single/Multi-modal
Directories
J2EE Applications
Issue SAML
Assertion Request
Access*
[SAML RelyingAuthorities]
[SAML AssertingAuthority]
Perform Authentication & Issue SAML
Assertion
![Page 25: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/25.jpg)
25Biometrics Consortium 2006
Multi-factor SSO including BiometricsCase study with Sun Java System Access Manager and Biobex
BiObex
Certificate Authority w/ OCSP Resp.
LDAP Directory / Oracle Database
Single Sign-on
Multi-Domain SSO
Federated SSO
Authentication
Authorization
Policies
User/Role Pr ofiles
Audit Logs
Sun Java System Access Manager
Databases / Directories
Enterprise Applications *
Desktops*Multi-modal Biometrics
Smartcard (CAC/PKCS#15)
SSL
Password
Portal Applications
SAML
Assertion *
Perform
Authentication Chain
[SAML AssertingAuthority]
[SAML RelyingAuthority]
[AuthenticationProviders]
![Page 26: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/26.jpg)
26Biometrics Consortium 2006
Further References
• Core Security Patterns> Chris Steel, Ramesh Nagappan & Ray Lai> Special focus on Identity Management using
Biometrics and Smartcards> www.coresecuritypatterns.com
• OASIS SAML 2.0> www.oasis-open.org/specs/index.php#samlv2.0
• Sun Java System Identity Suite> www.sun.com/products/identity/index.jsp
Article: Biometric Authentication for J2EE and Web based Applicationshttp://developers.sun.com/prodtech/identserver/reference/techart/bioauthentication.html
![Page 27: Biometric Single Sign-on using SAML](https://reader030.fdocuments.in/reader030/viewer/2022012803/61bd242761276e740b0fc796/html5/thumbnails/27.jpg)
Biometric Single Sign-onusing SAML Architecture and Design Strategies
Ramesh [email protected]/downloads