Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
-
Upload
saloni-shah -
Category
Technology
-
view
58 -
download
1
Transcript of Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
@salonijshah
Single Sign On
As developers…•…wanting to implement SSO, you may have
wondered... How did it get so complicated?
Help! I have an identity crisis!
Some terminology • Identification• Authentication• Authorization
Some terminology • Identification• Authentication• Authorization
Single Sign On & Identity Federation• Single Sign On: Log in once and access multiple applications• Identity Federation: Shared identity between multiple systems
Enterprise SSO Identity federation
Enterprise SSO & Identity Federation
“Enterprise” SSO
Federated identity
Advantages of a identity federation• Standardization >> Platform Neutrality• Security• Better user experience• Loose coupling of directories• Reduced administrative costs for service providers• Risk transference
SAML
SAML• Security assertion markup language.• Created in 2002 by Security Services Technical Committee of OASIS.• XML-based framework to make assertions regarding identity,
attributes, and entitlements of a user.• Current version: SAML 2.0 (2005)
Enterprise
External services
Three roles in SAML
Three roles in SAML
Three roles in SAML
Circle of trust
SAML Concepts
SAML Assertions
SAML Assertions
SP-initiated SSO
SP-initiated SSO
(1) Access resource
SP-initiated SSO
(1) Access resource
(2) Redirect with <Authn Req>
GET using <Authn Req>
SP-initiated SSO
(1) Access resource
(2) Redirect with <Authn Req>
GET using <Authn Req> (3) Challenge
for credentials
SP-initiated SSO
(1) Access resource
(2) Redirect with <Authn Req>
GET using <Authn Req> (3) Challenge
for credentials
(4) User login
SP-initiated SSO
(1) Access resource
(2) Redirect with <Authn Req>
GET using <Authn Req> (3) Challenge
for credentials
(4) User login
(5) Signed <response>
SP-initiated SSO
(1) Access resource
(2) Redirect with <Authn Req>
GET using <Authn Req> (3) Challenge
for credentials
(4) User login
(5) Signed <response> (6) Post signed
<response>
SP-initiated SSO
(1) Access resource
(2) Redirect with <Authn Req>
GET using <Authn Req> (3) Challenge
for credentials
(4) User login
(5) Signed <response> (6) Post signed
<response>
(7) Supply resource
IdP-initiated SSO
IdP-initiated SSO
(1) Challenge for credentials
(2) User login
(3) Select remote resource
(5) Post signed <response>
(6) Supply resource
(4) Signed <response>
SAML – Security Considerations• Use TLS• Use digitally signed messages• Securely validate the digital signature• Validate the XML schema
SAML – Security Considerations• Use TLS• Use digitally signed messages• Securely validate the digital signature• Validate the XML schema
SAML Security Cheat Sheet:https://www.owasp.org/index.php/SAML_Security_Cheat_Sheet
OAuth
OAuth• Open protocol for secure authorization• “Valet key for the web”• Simple and standard method from web, mobile, and desktop apps• Original spec: 2006• Current version: OAuth 2.0• Google’s OAuth Playground:
https://developers.google.com/oauthplayground/
OAuth Roles
OAuth Roles
OAuth Client Registration
OAuth Flow
OAuth Flow
(1) Do something with my resource
OAuth Flow
(1) Do something with my resource
(2)Give me permission
(3) I’d like to grant this client certain permissions
OAuth Flow
(1) Do something with my resource
(2)Give me permission
(3) I’d like to grant this client certain permissions
(4) Authenticate resource owner and verify permission scope
OAuth Flow
(1) Do something with my resource
(2)Give me permission
(3) I’d like to grant this client certain permissions
(4) Authenticate resource owner and verify permission scope
(5) Return authorization grant
(6) Authorization grant
OAuth Flow
(1) Do something with my resource
(2)Give me permission
(3) I’d like to grant this client certain permissions
(4) Authenticate resource owner and verify permission scope
(5) Return authorization grant
(6) Authorization grant(7) Authorization grant & client credentials
(8)Access token
OAuth Flow
(1) Do something with my resource
(2)Give me permission
(3) I’d like to grant this client certain permissions
(4) Authenticate resource owner and verify permission scope
(5) Return authorization grant
(6) Authorization grant(7) Authorization grant & client credentials
(8)Access token
(9)Access token
(10) Resource
OpenId
OpenID• “Driver’s license for the web”• Authenticate with multiple sites without giving out your credentials• OpenID 1.0 - 2005• OpenID 2.0 - 2007• OpenID Connect – 2014• OpenID Connect: Authentication protocol based on OAuth 2.0
OpenId Terms
OpenId Terms
OpenId Terms
https://accounts.example.com/oauth2/auth?scope=contacts&nonce=53f2495d7b435ac571& redirect_uri=https%3A%2F%2Foauth2demo.appspot.com%2Foauthcallback& response_type=code& client_id=753560681145-2ik2j3snsvbs80ijdi8.apps.googleusercontent.com
OpenId Terms
https://accounts.example.com/oauth2/auth?scope=openid+email&nonce=53f2495d7b435ac571& redirect_uri=https%3A%2F%2Foauth2demo.appspot.com%2Foauthcallback& response_type=id_token& client_id=753560681145-2ik2j3snsvbs80ijdi8.apps.googleusercontent.com
OAuth and OpenId – Security considerations•Use OAuth 1.0a at least!•Preferably, use OAuth 2.0 with TLS•Properly handle TLS certificate chain validation•Avoid the “Open Redirect” attack
OAuth 2.0 Threat Model:https://tools.ietf.org/html/rfc6819
In summary• Delegate identity management to a secure IdP• Use an established standard• Beware of security vulnerabilities• What I didn’t talk about:• Vendor-specific implementations• Technology-specific implementations
StandardsSAML 2.0 Oauth 2.0 OpenId Connect
Main Purpose Single sign on for enterprise users
API authorization between
applications
Single sign on for consumers
Support Web applications Web, mobile Web, mobile
Protocols used XML, HTTP, SOAP JSON, HTTP JSON, HTTP
Thanks!Questions?Twitter: @salonijshah