OpenID & SAML

&
March 4th 2010

OpenID & SAML, OpenID & SAML, OpenID & SAML Identity Federation, SuisseID Identity Federation, SuisseID Single Sign-On Konzepte Strong Authentication Service Single-Sign-on Concepts with Future mit Strong Authentication Service Zukunft

Geneva Application Security Forum 2010
Robert Ott, Master of Science (Honors), CFO Fredi Weideli, Master of Computer Science, CTO Robert clavid ag, Zug Ott - OpenID Representative Switzerland 5180

- CFO, Clavid AG, Switzerland

Agenda
•SECTION 1 OpenID - What is it? How does it work? Integration? •SECTION 2 •SECTION 3

SAML - What is it? How does it work? Identity Federation A Word on SuisseID Strong Authentication as a Service Further Links / Conclusion / Q & A

•SECTION 4 •SECTION 5 •SECTION 6

G e n e

SECTION

1

SECTION 1 OpenID
> > > What is it? How does it work? How to integrate?

G e n e

OpenID - What is it?

>Internet SingleSignOn >Relatively Simple Protocol >User-Centric Identity Management >Internet Scalable

>Free Choice of Identity Provider >No License Fee >Independent of Identification Methods >Non-Profit Organization

G e n e

OpenID - How does it work?

User Hans Muster
(Domain: www.iid.ch)

AUTHENTICATION

Identity Provider e.g. clavid.ch hans.muster.iid.ch Identity URL e.g. hans.muster.iid.ch

OpenID=hans.muster.iid.ch

Enabled Service

G e n e

OpenID - How does it work?

User Hans Muster 3 4, 4a
hans.muster.clavid.com Identity Provider e.g. clavid.com

5 1

6 2 Identity URL

Caption 1. User enters OpenID 2. Discovery 3. Authentication 4. Approval 4a. Change Attributes 5. Send Attributes 6. Validation

https://hans.muster.clavid.com

Enabled Service

G e n e

OpenID - How does it work?
Step 1: Step 2: Step 2a: Step 3: Step 4: Step 4a: A user decides to use a personalized Internet Service supporting OpenID (e.g. local.ch). The user clicks on „Login using OpenID“ and enters its OpenID (e.g. hans.muster.iid.ch). The requested Internet Service converts the OpenID into an URL ( http://hans.muster.iid.ch) and requests this URL in order to receive the Identity Provider of the user. In this example, the user has delegated its OpenID to the Identity Provider clavid.ch. The Identity Provider provides possible authentication methods for that specific user (in this case “Password”). Having successfully authenticated, the next step (approval ) is initiated . The user decides on the values of the requested attributes to be provided to the Internet Service. The Identity Provider usually provides user specific Personas (attribute templates ) to assist the user in this approval process . At this point, the user may decide to change attribute values and store them on the Identity Provider for future approvals for that specific service. Thus, a user can automate future approvals for specific Internet Services.

Step 5, 6: The attribute values are then signed and communicated from the Identity Provider to the Internet Service. The Internet Service validates the signature of the provided attributes and finally accepts the user to be authenticated.

G e n e

OpenID - How does it work?

G e n e

OpenID - How does it work?

G e n e

OpenID - User Centric Identity Management TOMORROW ? FUTURE ? TODAY
OpenID Provider
Username Password Username Password

Username Password

Username Password

G e n e

OpenID - How to Integrate?
Assumptions concerning your current Site •Users sign in with their username and password •There is a form, where new users have to register •Each user is identified by a unique ID in your database •A settings page let users manage their account info Recipe •Extend the database to map the OpenIDs to the user IDs •Extend the registration page with an OpenID input field •Extend the sign in page with an OpenID input field •Extend the settings page to attach and detach openIDs

G e n e

OpenID - How to Integrate?
Ingredients • •A OpenID Consumer Library • • •The Standard OpenID Logos • • •An OpenID Provider to test your site with

G e n e

OpenID - How to Integrate?
OpenID Libraries • Language Library
C# C++ Java Perl Python Ruby PHP DotNetOpenId, ExtremeSwank Libopkele NetMesh InfoGrid LID, OpenID4Java, joid Net::OpenID, OpenID4Perl JanRain JanRain, Heraldry Jan Rain, Zend Framework OpenID Component, Saeven.net's JanRain Service Utility Class, Taral, Simple Class, sfOpenIDPlugin, CakePHP, EasyOpenID, OpenID For PHP, AuthOpenID Snippet CFKit OpenID, CFOpenID, OpenID CFC mod_auth_openid

Coldfusion Apache 2

G e n e

SECTION

2

SECTION 2 SAML
>What is it? >How does it work?

G e n e

SAML – What is it?
SAML
>Defined by the Oasis Group >Well and Academically Designed Specification >Uses XML Syntax >Used for Authentication & Authorization >SAML Assertions > >SAML Protocols > >SAML Bindings > >SAML Profiles
>Statements: Authentication, Attribute, Authorization >Queries: Authentication, Artifact, Name Identifier Mapping, etc. >SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact >Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query / Request Profile, Attribute Profile (Security Assertion Markup Language ):

G e n e

SAML – How does it work?

User Hans Muster

AUTHENTICATION Redirect with < Response > Redirect with ( signed Assertion )> < AuthnRequest Access Resource

Identity Provider e.g. clavid.ch

Enabled Service
e.g. Google Apps for Business

G e n e

SAML – How does it work?

User Hans Muster
3 2 4 4 6 1 2 Identity Provider e.g. clavid.ch

Enabled Service
e.g. Google Apps for Business

G e n e

SAML – How does it work?
Step 1: Step 2: Step 3: Step 4: A user decides to use a personalized Internet Service connected to a SAML based Identity provider (e.g. Google Business Application Calendar). The Internet Service recognizes that the user is not logged in yet. A SAML <AuthnRequest> is created and sent via redirect to the Identity Provider. The Identity Provider provides possible authentication methods for that specific user (in this case “YubiKey” OTP). Having successfully authenticated, the next step is initiated. The Identity Provider creates a SAML <Response> containing the user’s identifier for the specific target application. Then it signs the SAML <Response> and sends it via a PostRedirect to the Internet Services (e.g. Google Calendar) The Internet Service (e.g. Google Apps) verifies the signature of the SAML <Response> and now knows the user’s identifier provided by the Identity Provider. The Internet Service can now be used by the user.

Step 5: Step 6:

G e n e

SAML – How does it work?
1) Call Application URL 3) Application Usage 2) Login

G e n e

SECTION

3

SECTION 3 Identity Federation

G e n e

B2B Identity Federation - The Protocol Problem
Company A Intranet Proprietary Token
https

Internet Service A Travel Ticket Shop Internet Service B Document Management Internet Service C Personal Recruting SAML 2.0 SaaS Applications

OpenID

SAML 1.0

G e n e

B2B Identity Federation - The Protocol Mess
Company A Intranet Proprietary Token OpenID
https

Internet Service A Travel Ticket Shop Internet Service B Document Management Internet Service C Personal Recruting SaaS Applications

SAML 1.0 SAML 2.0

Company B Intranet Proprietary Token OpenID
https

SAML 1.0 SAML 2.0 Proprietary Token OpenID
https

Company C Intranet

SAML 1.0 SAML 2.0

G e n e

B2B Identity Federation - The Protocol Solution
Company A Intranet Internet Service A Travel Ticket Shop
https

Company B Intranet

Proprietary Token

Internet Identity Provider Identity Mapping

Proprietary Token OpenID

Internet Service B Document Management Internet Service C

eID (Identity Card)

https

SSL Certificates

OpenID

Biometric (AXSioncs) One Time Passw. (OTP) Mobile Phone (SMS)

Internet SSO

SAML 1.0
Internet SSO

Personal Recruting SaaS Applications

Company C Intranet

SAML 2.0

SAML 2.0

https

G e n e

https

B2B Identity Federation - The Protocol Solution
Company A Intranet Company B Intranet

https

Proprietary Token

Internet Identity Provider Identity Federation

https

SAML 1.0

Company C Intranet

Internet SSO

Biometric (AXSioncs) One Time Passw. (OTP) Mobile Phone (SMS)

Internet SSO

eID (Identity Card)

SSL Certificates

https

G e n e

https

https

SAML 2.0

SECTION

4

SECTION 4 A Word on SuisseID

G e n e

A Word On SuisseID
•SuisseID is currently in Early Draft Specification Phase •SuisseID should be available for public in spring 2010 •SuisseID cost will be refunded by the Government in 2010 •SuisseID will most probably be: –A signature certificate –An authentication certificate –All certificates conform to ZertES –Certificates contain a unique SuisseID number –An Identity Provider Services for attribute exchange • •Eligible SuisseID certificate service providers will be: –Swiss Post (SwissSign), Swisscom, QuiVadis, Swiss Government

G e n e

A Word On SuisseID

G e n e

SECTION

5

SECTION 5
Strong Authentication as a Service

G e n e

OpenID - International Identity Providers

Username/Password Certificates Biometric

OTP

G e n e

Clavid Portal for Strong Authentication

G e n e

Clavid Portal - AXSionics

G e n e

Clavid Portal - Yubikey

G e n e

Clavid Portal - Certificates

G e n e

Clavid Portal - One Time Password

OTP Methods: • OATH HOTP (RFC4226) • Challenge/Response (RFC2289) • Mobile OTP (OpenSource Project) • SMS • ... others ...

G e n e

Clavid Portal - Personas

G e n e

Clavid Portal - Login Settings

G e n e

Clavid Login Dialog

G e n e

SECTION

6

SECTION 6 Conclusion
>Further References >Questions & Answers >Contact Information

G e n e

Further Links:

on OpenID

OpenID Identity Providers can be found at:
> >http://en.wikipedia.org/wiki/OpenID > >http://en.wikipedia.org/wiki/List_of_OpenID_providers > >http://www.openiddirectory.com/openid-providers-c-1.html > >http://www.clavid.com/ (Strong Authentication in Europe)

> >

G e n e

Conclusion
>OpenID: An open, well documented specification allowing Internet Single Sign-On (SSO) for individual “Public Services” (B2C) > >SAML: Trust based Internet and Intranet Single Sign-On for Business Services (B2B) > >Professional Identity Providers already in place > >User Centric Identity Management already integrated > >Join OpenID Switzerland in order to increase the OpenID momentum >Enable your Internet Services to support OpenID or SAML !!!

G e n e

Demo
>SAML-Login to Google Business Apps using AXSionics Fingerprint > > >SAML-Login to Salesforce.com using YubiKey OTP > > >OpenID login to local.ch using Swiss PostZertifikat > > >Online Identity Administration (Clavid Portal) > >

G e n e

Questions & Answers

G e n e

Contact Information

G e n e

Sign up to vote on this title
UsefulNot useful