Download - Geneva Application Security Forum: Vers une authentification plus forte dans les applications web"
OpenID & SAMLSingle-Sign-on Concepts with Future
&
OpenID & SAMLSingle Sign-On Konzepte mit Zukunft
OpenID & SAML,Identity Federation, SuisseIDStrong Authentication Service
&
OpenID & SAML,Identity Federation, SuisseIDStrong Authentication Service
Robert Ott, Master of Science (Honors), CFO
Fredi Weideli, Master of Computer Science, CTO
clavid ag, Zug
5180
Geneva Application Security Forum 2010March 4th 2010
Robert Ott
- OpenID Representative Switzerland
- CFO, Clavid AG, Switzerland
Agenda
• SECTION 1 OpenID - What is it? How does it work? Integration?
• SECTION 2 SAML - What is it? How does it work?
• SECTION 3 Identity Federation
• SECTION 4 A Word on SuisseID
Geneva Application Security Forum 2010, March 4th 2010Page 2
• SECTION 4 A Word on SuisseID
• SECTION 5 Strong Authentication as a Service
• SECTION 6 Further Links / Conclusion / Q&A
SECTION 1
SECTION 1
Geneva Application Security Forum 2010, March 4th 2010Page 3
OpenID
> What is it?
> How does it work?
> How to integrate?
SECTION 1
OpenID - What is it?
Geneva Application Security Forum 2010, March 4th 2010Page 4
> Internet SingleSignOn
> Relatively Simple Protocol
> User-Centric Identity Management
> Internet Scalable
> Free Choice of Identity Provider
> No License Fee
> Independent of Identification Methods
> Non-Profit Organization
OpenID - How does it work?
Identity Providere.g. clavid.ch
User Hans Muster(Domain: www.iid.ch)
AUTHENTICATION
Geneva Application Security Forum 2010, March 4th 2010Page 5
hans.muster.iid.ch
Enabled Service
OpenID=hans.muster.iid.chIdentity URLe.g. hans.muster.iid.ch
OpenID - How does it work?
3
Identity Providere.g. clavid.com
4, 4a
User Hans Muster
Geneva Application Security Forum 2010, March 4th 2010Page 6
1
5
Enabled Service
e.g. clavid.com
6hans.muster.clavid.com
Caption1. User enters OpenID2. Discovery3. Authentication4. Approval4a. Change Attributes5. Send Attributes6. Validation
2 Identity URLhttps://hans.muster.clavid.com
OpenID - How does it work?
Step 1: A user decides to use a personalized Internet Service supporting OpenID (e.g. local.ch). The user clicks on
„Login using OpenID“ and enters its OpenID (e.g. hans.muster.iid.ch).
Step 2: The requested Internet Service converts the OpenID into an URL (http://hans.muster.iid.ch) and requests
this URL in order to receive the Identity Provider of the user.
Step 2a: In this example, the user has delegated its OpenID to the Identity Provider clavid.ch.
Step 3: The Identity Provider provides possible authentication methods for that specific user (in this case
“Password”). Having successfully authenticated, the next step (approval) is initiated.
Step 4: The user decides on the values of the requested attributes to be provided to the Internet Service. The
Geneva Application Security Forum 2010, March 4th 2010Page 7
Step 4: The user decides on the values of the requested attributes to be provided to the Internet Service. The
Identity Provider usually provides user specific Personas (attribute templates) to assist the user in this
approval process.
Step 4a: At this point, the user may decide to change attribute values and store them on the Identity Provider for
future approvals for that specific service. Thus, a user can automate future approvals for specific Internet
Services.
Step 5, 6: The attribute values are then signed and communicated from the Identity Provider to the Internet
Service. The Internet Service validates the signature of the provided attributes and finally accepts the user
to be authenticated.
OpenID - How does it work?
Geneva Application Security Forum 2010, March 4th 2010Page 8
OpenID - How does it work?
Geneva Application Security Forum 2010, March 4th 2010Page 9
OpenID - User Centric Identity Management
Username
Password
Username
Password
Username
Password
Username
Password
OpenID Provider
TODAYTOMORROW? FUTURE ?
Geneva Application Security Forum 2010, March 4th 2010Page 10
Password Password
OpenID - How to Integrate?
Assumptions concerning your current Site• Users sign in with their username and password• There is a form, where new users have to register• Each user is identified by a unique ID in your database• A settings page let users manage their account info
Geneva Application Security Forum 2010, March 4th 2010Page 11
Recipe• Extend the database to map the OpenIDs to the user IDs• Extend the registration page with an OpenID input field• Extend the sign in page with an OpenID input field• Extend the settings page to attach and detach openIDs
OpenID - How to Integrate?
Ingredients
• A OpenID Consumer Library
• The Standard OpenID Logos
Geneva Application Security Forum 2010, March 4th 2010Page 12
• The Standard OpenID Logos
• An OpenID Provider to test your site with
OpenID - How to Integrate?
OpenID Libraries
Language Library
C# DotNetOpenId, ExtremeSwank
C++ Libopkele
Java NetMesh InfoGrid LID, OpenID4Java, joid
Perl Net::OpenID, OpenID4Perl
Geneva Application Security Forum 2010, March 4th 2010Page 13
Perl Net::OpenID, OpenID4Perl
Python JanRain
Ruby JanRain, Heraldry
PHP Jan Rain, Zend Framework OpenID Component, Saeven.net's JanRain Service Utility Class, Taral, Simple Class, sfOpenIDPlugin, CakePHP, EasyOpenID, OpenID For PHP, AuthOpenID Snippet
Coldfusion CFKit OpenID, CFOpenID, OpenID CFC
Apache 2 mod_auth_openid
SECTION 2
SECTION 2
Geneva Application Security Forum 2010, March 4th 2010Page 14
SECTION 2
SAML
>What is it?
>How does it work?
SAML – What is it?
SAML (Security Assertion Markup Language):
> Defined by the Oasis Group
> Well and Academically Designed Specification
> Uses XML Syntax
> Used for Authentication & Authorization
> SAML Assertions> Statements: Authentication, Attribute, Authorization
Geneva Application Security Forum 2010, March 4th 2010Page 15
> Statements: Authentication, Attribute, Authorization
> SAML Protocols> Queries: Authentication, Artifact, Name Identifier Mapping, etc.
> SAML Bindings> SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact
> SAML Profiles> Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion
Query / Request Profile, Attribute Profile
SAML – How does it work?
User Hans Muster
AUTHENTICATION
Identity Providere.g. clavid.chRedirect with
<AuthnRequest>Access
Resource
Redirect with<Response>
(signed Assertion)
Geneva Application Security Forum 2010, March 4th 2010Page 16
Enabled Service
e.g. Google Appsfor Business
Resource
SAML – How does it work?
Identity Providere.g. clavid.ch
User Hans Muster
2
3
4
Geneva Application Security Forum 2010, March 4th 2010Page 17
Enabled Service
e.g. Google Appsfor Business
12
6
4
SAML – How does it work?
Step 1: A user decides to use a personalized Internet Service connected to a SAML based Identity provider (e.g. Google Business Application Calendar).
Step 2: The Internet Service recognizes that the user is not logged in yet. A SAML <AuthnRequest> is created and sent via redirect to the Identity Provider.
Step 3: The Identity Provider provides possible authentication methods for that specific user (in this case “YubiKey” OTP). Having successfully authenticated, the next step is initiated.
Step 4: The Identity Provider creates a SAML <Response> containing the user’s identifier for the specific target application. Then it signs the SAML <Response> and sends it via a Post-
Geneva Application Security Forum 2010, March 4th 2010Page 18
specific target application. Then it signs the SAML <Response> and sends it via a Post-Redirect to the Internet Services (e.g. Google Calendar)
Step 5: The Internet Service (e.g. Google Apps) verifies the signature of the SAML <Response> and now knows the user’s identifier provided by the Identity Provider.
Step 6: The Internet Service can now be used by the user.
SAML – How does it work?
1) Call Application URL
2) Login
3) Application Usage
Geneva Application Security Forum 2010, March 4th 2010Page 19
SECTION 3
SECTION 3
Geneva Application Security Forum 2010, March 4th 2010Page 20
SECTION 3
Identity Federation
B2B Identity Federation - The Protocol Problem
Company A
Intranet
http
s
Document Management
Internet Service B
TravelTicket Shop
Internet Service A
Proprietary Token
OpenID
Geneva Application Security Forum 2010, March 4th 2010Page 21
SaaS Applications
PersonalRecruting
Internet Service CSAML 1.0
SAML 2.0
B2B Identity Federation - The Protocol Mess
Company A
Intranet
http
s
Document Management
Internet Service B
TravelTicket Shop
Internet Service A
Company B
Intranet Proprietary Token
Proprietary Token
SAML 1.0
SAML 2.0
OpenID
Geneva Application Security Forum 2010, March 4th 2010Page 22
SaaS Applications
PersonalRecruting
Internet Service C
http
s
Company C
Intranet
http
s
Proprietary Token
SAML 1.0
SAML 2.0
SAML 1.0
SAML 2.0
OpenID
OpenID
B2B Identity Federation - The Protocol Solution
Company A
Intranet
http
s
Document Management
Internet Service B
TravelTicket Shop
Internet Service A
Internet Identity Provider
Identity MappingCompany B
Intranet
Proprietary Token
OpenID
Proprietary Token
Geneva Application Security Forum 2010, March 4th 2010Page 23
SaaS Applications
PersonalRecruting
Internet Service C
Bio
met
ric (
AX
Sio
ncs)
SS
L C
ertif
icat
es
eID
(Id
entit
y C
ard)
Mob
ile P
hone
(SM
S)
One
Tim
e P
assw
. (O
TP
)
Inte
rnet
SS
OIn
tern
et S
SO
http
s
http
s
Company C
Intranet
http
s
SAML 1.0
SAML 2.0
OpenID
SAML 2.0
OpenID
B2B Identity Federation - The Protocol Solution
Company A
Intranet
http
s
Proprietary Token
Company B
Intranet
http
s
Company C
Internet Identity Provider
Identity FederationSAML 1.0
Geneva Application Security Forum 2010, March 4th 2010Page 24
Intranet
http
s
Bio
met
ric (
AX
Sio
ncs)
SS
L C
ertif
icat
es
eID
(Id
entit
y C
ard)
Identity Federation
Mob
ile P
hone
(SM
S)
One
Tim
e P
assw
. (O
TP
)
Inte
rnet
SS
Oht
tps
Inte
rnet
SS
Oht
tps
SAML 2.0
SECTION 4
SECTION 4
Geneva Application Security Forum 2010, March 4th 2010Page 25
SECTION 4
A Word on SuisseID
A Word On SuisseID
• SuisseID is currently in Early Draft Specification Phase
• SuisseID should be available for public in spring 2010
• SuisseID cost will be refunded by the Government in 2010
• SuisseID will most probably be:
– A signature certificate
– An authentication certificate
Geneva Application Security Forum 2010, March 4th 2010Page 26
– An authentication certificate
– All certificates conform to ZertES
– Certificates contain a unique SuisseID number
– An Identity Provider Services for attribute exchange
• Eligible SuisseID certificate service providers will be:
– Swiss Post (SwissSign), Swisscom, QuiVadis, Swiss Government
A Word On SuisseID
Geneva Application Security Forum 2010, March 4th 2010Page 27
SECTION 5
SECTION 5
Geneva Application Security Forum 2010, March 4th 2010Page 28
SECTION 5
Strong Authentication as a Service
OpenID - International Identity Providers
Geneva Application Security Forum 2010, March 4th 2010Page 29
Username/Password
Certificates
Biometric
OTP
Clavid Portal for Strong Authentication
Geneva Application Security Forum 2010, March 4th 2010Page 30
Clavid Portal - AXSionics
Geneva Application Security Forum 2010, March 4th 2010Page 31
Clavid Portal - Yubikey
Geneva Application Security Forum 2010, March 4th 2010Page 32
Clavid Portal - Certificates
Geneva Application Security Forum 2010, March 4th 2010Page 33
Clavid Portal - One Time Password
Geneva Application Security Forum 2010, March 4th 2010Page 34
OTP Methods:• OATH HOTP (RFC4226)• Challenge/Response (RFC2289)• Mobile OTP (OpenSource Project)• SMS• ... others ...
Clavid Portal - Personas
Geneva Application Security Forum 2010, March 4th 2010Page 35
Clavid Portal - Login Settings
Geneva Application Security Forum 2010, March 4th 2010Page 36
Clavid Login Dialog
Geneva Application Security Forum 2010, March 4th 2010Page 37
SECTION 6
SECTION 6
Geneva Application Security Forum 2010, March 4th 2010Page 38
SECTION 6
Conclusion
>Further References
>Questions & Answers
>Contact Information
Further Links: on OpenID
> http://en.wikipedia.org/wiki/OpenID
> http://en.wikipedia.org/wiki/List_of_OpenID_providers
OpenID Identity Providers can be found at:
Geneva Application Security Forum 2010, March 4th 2010Page 39
> http://www.openiddirectory.com/openid-providers-c-1.html
> http://www.clavid.com/ (Strong Authentication in Europe)
Conclusion
> OpenID: An open, well documented specification allowing Internet Single
Sign-On (SSO) for individual “Public Services” (B2C)
> SAML: Trust based Internet and Intranet Single Sign-On for Business
Services (B2B)
> Professional Identity Providers already in place
Geneva Application Security Forum 2010, March 4th 2010Page 40
> Professional Identity Providers already in place
> User Centric Identity Management already integrated
> Join OpenID Switzerland in order to increase the OpenID momentum
> Enable your Internet Services to support OpenID or SAML !!!
Demo
> SAML-Login to Google Business Apps using
AXSionics Fingerprint
> SAML-Login to Salesforce.com using YubiKey OTP
Geneva Application Security Forum 2010, March 4th 2010Page 41
> OpenID login to local.ch using Swiss PostZertifikat
> Online Identity Administration (Clavid Portal)
Questions & Answers
Geneva Application Security Forum 2010, March 4th 2010Page 42
Contact Information
Geneva Application Security Forum 2010, March 4th 2010Page 43