Shibboleth-based hybrid authentication
-
Upload
faysal-boukayoua -
Category
Technology
-
view
1.065 -
download
3
description
Transcript of Shibboleth-based hybrid authentication
![Page 1: Shibboleth-based hybrid authentication](https://reader034.fdocuments.in/reader034/viewer/2022042713/54743988b4af9f9d0a8b560c/html5/thumbnails/1.jpg)
Shibboleth-based hybrid authentication
MobCom Workshop
February 6th, 2013
Faysal Boukayoua - MSEC
![Page 2: Shibboleth-based hybrid authentication](https://reader034.fdocuments.in/reader034/viewer/2022042713/54743988b4af9f9d0a8b560c/html5/thumbnails/2.jpg)
Overview
• Intro
• Motivation
• Prototype
– Approach
– Interactions
– Evaluation
– Demo
2
![Page 3: Shibboleth-based hybrid authentication](https://reader034.fdocuments.in/reader034/viewer/2022042713/54743988b4af9f9d0a8b560c/html5/thumbnails/3.jpg)
Intro Context
3
MobCom
Loyalty cards & discount vouchers
Context-aware services
Flexible Access Control
Shibboleth-based hybrid
authentication
![Page 4: Shibboleth-based hybrid authentication](https://reader034.fdocuments.in/reader034/viewer/2022042713/54743988b4af9f9d0a8b560c/html5/thumbnails/4.jpg)
Intro The old days
4
University A
Library B
University C
Student Admin
Web Mail
e-Learning
Literature DB
e-Learning
Research DB
e-Journals
Authorization User Administration Authentication
Resource Credentials
Source: SWITCHaai (http://goc.pragma-grid.net/pragma-doc/pragma-summit/aai_introduction.ppt)
![Page 5: Shibboleth-based hybrid authentication](https://reader034.fdocuments.in/reader034/viewer/2022042713/54743988b4af9f9d0a8b560c/html5/thumbnails/5.jpg)
Intro Now
5
University A
Library B
University C
AAI
Student Admin
Web Mail
e-Learning
Literature DB
e-Learning
Research DB
e-Journals
Authorization User Administration Authentication
Resource Credentials
Source: SWITCHaai (http://goc.pragma-grid.net/pragma-doc/pragma-summit/aai_introduction.ppt)
![Page 6: Shibboleth-based hybrid authentication](https://reader034.fdocuments.in/reader034/viewer/2022042713/54743988b4af9f9d0a8b560c/html5/thumbnails/6.jpg)
Intro What is Shibboleth?
• Federated identity management middleware
• Interorganisational:
– identities
– trust
• SAML 2.0-compliant
• Widely in use
6
![Page 7: Shibboleth-based hybrid authentication](https://reader034.fdocuments.in/reader034/viewer/2022042713/54743988b4af9f9d0a8b560c/html5/thumbnails/7.jpg)
Intro Shibboleth authentication
7
User User’s browser Identity provider Service provider
1. Request resource
3. Prompt for authentication
4. Authenticate
2. Redirect to IdP
5. Assert attributes and redirect
6. Return resource
![Page 8: Shibboleth-based hybrid authentication](https://reader034.fdocuments.in/reader034/viewer/2022042713/54743988b4af9f9d0a8b560c/html5/thumbnails/8.jpg)
Intro MSEC’s IdM architecture
8
SPi
3. Review query
4. Confirm
IdPX
IdPY
IdPZ
User
5. Release_attrs
1. Mutual auth.
2. Attribute_query
• Smartcard technology • Support for: Mutable and new attributes Pseudonimity and anonymity Multiple identity providers Separation between IdPs and SPs
![Page 9: Shibboleth-based hybrid authentication](https://reader034.fdocuments.in/reader034/viewer/2022042713/54743988b4af9f9d0a8b560c/html5/thumbnails/9.jpg)
Motivation
9
Shibboleth MSEC’s arch.
Must modify workstation?
Default: no Yes
Standards & interoperability
Strong authentication Default: passwords Yes
User consent Default: no Yes
Selective disclosure Default: no Yes
Trust in IdP
SP-IdP collusion Yes No
![Page 10: Shibboleth-based hybrid authentication](https://reader034.fdocuments.in/reader034/viewer/2022042713/54743988b4af9f9d0a8b560c/html5/thumbnails/10.jpg)
Motivation (2)
10
Shibboleth MSEC’s arch.
Must modify workstation?
Default: no Yes
Standards & interoperability
Strong authentication Default: passwords Yes
User consent Default: no Yes
Selective disclosure Default: no Yes
Trust in IdP
SP-IdP collusion Yes No
Can we: • maintain strengths? • mitigate drawbacks?
![Page 11: Shibboleth-based hybrid authentication](https://reader034.fdocuments.in/reader034/viewer/2022042713/54743988b4af9f9d0a8b560c/html5/thumbnails/11.jpg)
Prototype Approach
11
4. Review query
5. Confirm
Shibboleth Identity Provider
IdPX
IdPY
IdPZ
User
2. Mutual auth.
6. Release_attrs
Shibboleth Service Provider
1. SAML attribute query
7. SAML attribute assertion
3. Attribute_query
![Page 12: Shibboleth-based hybrid authentication](https://reader034.fdocuments.in/reader034/viewer/2022042713/54743988b4af9f9d0a8b560c/html5/thumbnails/12.jpg)
6. Review and consent
Prototype Interactions
12
Phone + secure µSD User Service Provider
User’s browser
1. Request resource
4. Scan QR challenge
3. Show QR challenge
8. Authenticate
10. Assert attributes and redirect
11. Return resource
5. Show feedback
Identity provider
9. Disclose requested attributes
2. Redirect
![Page 13: Shibboleth-based hybrid authentication](https://reader034.fdocuments.in/reader034/viewer/2022042713/54743988b4af9f9d0a8b560c/html5/thumbnails/13.jpg)
Prototype Evaluation
• User consent
• Selective disclosure
• Resilience against phishing
• Shibboleth SP unmodified
• Portable across workstations
• Less trust in Shibboleth IdP
13
![Page 14: Shibboleth-based hybrid authentication](https://reader034.fdocuments.in/reader034/viewer/2022042713/54743988b4af9f9d0a8b560c/html5/thumbnails/14.jpg)
Prototype Demo
14