Identity Federation: Bridging the Identity Gap · PDF fileIdentity Federation: Bridging the...
-
Upload
phunghuong -
Category
Documents
-
view
238 -
download
6
Transcript of Identity Federation: Bridging the Identity Gap · PDF fileIdentity Federation: Bridging the...
Identity Federation: Bridging the Identity Gap
Michael Koyfman, Senior Global Security Solutions Architect
F5 Agility 2014 2
The Need for Federation5 key patterns that drive Federation evolution- Mary E. Ruddy, Gartner
• The movement of applications out of the enterprise domain
• The movement of user populations out of the enterprise domain
• The movement of devices out of the enterprise domain
• The movement of IAM out of the enterprise domain
• The movement of the enterprise domain itself
F5 Agility 2014 3
Federated Identity – What is it?
• Companies outsource applications and infrastructure at very rapid pace
• Having each application enforce the “authority” over user’s identity is cumbersome• There is no cross-application password synchronization mechanism• User’s can’t easily manage coterminous password expiration across various
applications• Not all applications can support the same userid format as being primarily
used
• Companies need to provide access to customers and partners without increased headaches of manually managing user accounts and password resets
F5 Agility 2014 4
Federated Identity – How does it help?
• Controls identity and access within the enterprise
• Flexibility to use cloud applications and infrastructure
• Creates a trust between two entities with industry standards
• Allows B2B authentication with cloud and SaaS providers
• Instant termination of authentication upon employee departure
• No need to duplicate directory everywhere
F5 Agility 2014 5
SAML Post vs. Artifact POST binding
The user’s browser will be in between all communications of the SP and IdP.The user browser acts as an intermediary for the transmission of all messages
Disadvantages:All communications are going through the user’s browser, so the messages could be intercepted by malicious code on the user’s PC.
Advantages:Simpler than Artifact binding
Does not require direct network connection between IDP and SP
Artifact binding
Partial direct connection between the IDP and the SP.That connection will be leveraged during the <artifactresolve> <artifactresponse> phases, hence avoiding the security risk induced by a middle connection
Disadvantages:Requires direct connection between IDP and SP, could lead to firewall/resolution/routing issues to be solved.The communication flow is longer and more complex.
Advantages:Communications are considered more secure
F5 Agility 2014 6
OAuth 2.0
• Open standard for Authorization• “OAuth is often described as a valet key for the web”• Proposed Standard RFC 6749• Key Driver – Twitter, Facebook• OAuth 2.0 is not compatible with 1.0
OAuth is often described as a valet key for the web
F5 Agility 2014 7
• SAML Assertion is a Token/Cookie used to Auth users (Simplified)• Signing the Assertion• Encrypting the Assertion
• SAML IdP (Identity Provider)• The device that authenticates the user• The device that creates, signs, encrypts and inserts the Assertion• The device that redirects the user to the target application with the Assertion
• SAML SP (Service Provider)• The device that redirects the user request to the IdP for authentication• The device that consumes the Assertion and validates it• The device that redirects the authenticated user to the application
SAML 2.0 – Using Assertions to Authenticate
7
F5 Agility 2014 8
SAML Design (Public SP Application) – Academic EnvironmentInternet User makes a SAML Supported request for a resource
Partner School
End UserSAML IdP
Partner School
End UserSAML IdP
Partner School
End UserSAML IdP
University App DMZ
SAML SP
Research App
Private/Public Cloud
F5 Agility 2014 9
SAML Design (Public SP Application) – Academic EnvironmentService provider(SP) application performs IdP Discovery to find out how to authenticate the user
Partner School
End UserSAML IdP
Partner School
End UserSAML IdP
Partner School
End UserSAML IdP
University App DMZ
SAML SP
Research App
Private/Public Cloud
F5 Agility 2014 10
APM Detects User’s IdP and redirects user to their specific IdP using SP Initiated Post (or Redirect)
SAML Design (Public SP Application)
Partner School
End UserSAML IdP
Partner School
End UserSAML IdP
Partner School
End UserSAML IdP
University App DMZ
SAML SP
Research App
Private/Public Cloud
F5 Agility 2014 11
Internet User makes a SAML Supported request for a resource including the SAML Assertion
SAML Design (Public SP Application)
Partner School
End UserSAML IdP
Partner School
End UserSAML IdP
Partner School
End UserSAML IdP
University App DMZ
SAML SP
Research App
Private/Public Cloud
F5 Agility 2014 12
APM validates the assertion and sends request to Application…
APM also has the ability to perform LDAP/AD Query for further validation and to set appropriate ACL’s based on variables such as: Domain – User – Device
Type – Origin Network - Etc
SAML Design (Public SP Application)Partner School
End UserSAML IdP
Partner School
End UserSAML IdP
Partner School
End UserSAML IdP
University App DMZ
SAML SP
Research App
Private/Public Cloud LDAP
F5 Agility 2014 13
Question- How will we detect users IdP
- Host- URI- Email- Other
- Anything that is constant and predictable can be used for IdP Discovery
F5 Agility 2014 15
SAML – Authenticating to the App without User/PassSAML Assertion replaces the requirement for Password
APM SSO to the Application will be Kerberos (KCD) or Custom Auth via Headers or something similar
You must understand how the Application identifies the user and creates a session
Any mechanism requiring a password will not workNTLM – Basic – Forms Post
Unless the IDP passes original user’s password as a parameter and it is valid in context of authenticating to the application – then NTLM/Basic/Forms can be used
End UserSAML IdP
Sharepoint.customer.com
Internal Application
Servers
Servers
Servers
OWA.customer.com
F5 Agility 2014 16
Exchange Hybrid Federation Scenario
Customer DataCenter
login.f5se.com
mail.f5se.com
ActiveDirectory
Azure Cloud
1. User goes to https://mail.f5se.com2. Exchange SP Virtual send them to
IDP login.f5se.com with SAML AuthN request
3. User enters their credentials and authenticates to login service
4. Login responds with SAML Assertion that contains username and password, it gets sent to OWA SP,
5. Exchange SP Policy checks if user is on-premises and forwards to CAS
CAS Array
User with mailbox on premises
User
Servers
F5 Agility 2014 17
Exchange Hybrid Federation Scenario
Customer DataCenter
login.f5se.com
mail.f5se.com
ActiveDirectory
Azure Cloud
1. User goes to https://mail.f5se.com2. Exchange SP Virtual send them to IDP
login.f5se.com with SAML AuthN request3. User enters their credentials and
authenticates to login service4. Login responds with SAML Assertion that
contains username and password, it gets sent to https://mail.f5se.com
5. Exchange SP Policy determines user is hosted in Office 365 and redirects them to https://outlook.com/owa/f5se.com
CAS Array
User with mailbox hosted in Office 365
6. Office 365 sends authentication request to login.f5se.com
7. Login.f5se.com IDP responds with SAML assertion(user has already authenticated to it in step 3) and user is signed on to OWA in the Office 365
User
F5 Agility 2014 18
SAML- Federating APM’s Authentication to the App (With and Without Password)
Client successfully logs on to an Internal Application where the APM VIP Requires SAML Authentication
Users
Private/Public Cloud
Data Center 1
Login.customer.com
Portal.customer.com
OWA.customer.com
Sharepoint.customer.com
Internal Application
Servers
Servers
Servers
F5 Agility 2014 19
SAML- Federating APM’s Authentication to the App (With and Without Password)
Users
Private/Public Cloud
Data Center 1
Login.customer.com
Portal.customer.com
OWA.customer.com
Sharepoint.customer.com
Internal Application
Servers
Servers
Servers
The BIG-IP VIP should be configured to redirect to the Corporate SAML IdP
F5 Agility 2014 20
SAML- Federating APM’s Authentication to the App (With and Without Password)
Users
Private/Public Cloud
Data Center 1
Login.customer.com
Portal.customer.com
OWA.customer.com
Sharepoint.customer.com
Internal Application
Servers
Servers
Servers
An SP Initiated Post is sent back to the client in the form of a redirect to the IdP (https://login.f5se.com)
Client is presented with a Username/Password Form from the IdP (Including 2 factor based on policy)
F5 Agility 2014 21
SAML- Federating APM’s Authentication to the App (With and Without Password)
Users
Private/Public Cloud
Data Center 1
Login.customer.com
Portal.customer.com
OWA.customer.com
Sharepoint.customer.com
Internal Application
Servers
Servers
Servers
The APM Policy is run to Authenticate the user against their user store
The user browser is presented with a SAML Assertion
F5 Agility 2014 22
SAML- Federating APM’s Authentication to the App (With and Without Password)
Users
Private/Public Cloud
Data Center 1
Login.customer.com
Portal.customer.com
OWA.customer.com
Sharepoint.customer.com
Internal Application
Servers
Servers
Servers
Client is redirected to the VIP and APM successfully logs the user on to an Internal Application
F5 Agility 2014 23
SAML- Federating APM’sAuthenticationg to the App (With and Without Password)
Let’s look at how the Applications create Session:
OWA authenticates Users via Kerberos so no Password is required
Sharepoint uses NTLM. F5 APM as an IdP can be configured to insert session.logon.last.password into the Assertion as a SAML Variable. The APM functioning as SP can use this when creating the Session for the userThe Internal Application authenticates the user via HTTP Header and trusts the BIG-IP … The variable ${session.logon.last.password} is not required to be inserted by the IdP for use at the SP
F5 Agility 2014 25
• Initiated from APM• As SP:
• Post is done to logout URL in IdP connector• As IdP:
• Post is done to logout URL in SP connectors• Done whenever my.logout.php3 URL is encountered
• Initiated from Elsewhere• APM as SP:
• We kill the session, and do a POST to response URL in IdP connector • As IdP:
• We kill the session, and do a POST to response URL in SP connector
SAML SLO – Single LogOut
IDP
SP1
SP2
Users
Final Logout 9Logout RSP SP28
Logout RQ SP2 6Logout RSP15Logout URL1
Logout SP1 2
Logout RQ13Logout RSP1 4
Logout RQ SP26Logout RQ SP2 7
F5 Agility 2014 27
SAML Lab Overall Use CasesUsers
Data Center 2
OWA.customer.com
Sharepoint.customer.com
Internal Application
Servers
Servers
Servers
Login.customer.com
Portal.customer.com
Private/Public Cloud
Business Partners
ADFS
SaaS - PaaS
Active Directory