2. Cloud trends in the enterprise
Security challenges in cloud computing
SAML introduction
SAML Use Cases
Does SAML address the problem security challenges in cloud computing
Some SAML solutions
Example and Vendors
12/29/2011
3. Cloud Computing defined
◦ Cloud computing is a computing model that allows the utilization of a computing infrastructure
at one or more levels of abstraction, as an on-demand service made available over the
Internet or other computer network.
Basic models for cloud computing
◦ Software as a Service (SaaS), where applications are hosted and delivered eg, Google Docs,
SalesForce.
◦ Platform as a Service (PaaS), where the cloud provides the software platform for systems (as
opposed to just software), the best current example being the Google App Engine.
◦ Infrastructure as a Service (IaaS), where a set of virtualized computing resources, such as
storage and computing capacity, are hosted in the cloud; customers deploy and run their own
software stacks to obtain services. Examples are Amazon Elastic Compute Cloud (EC2).
Why is it popular
◦ Cloud computing provides greater flexibility and availability at lower cost.
12/29/2011
4. Single Sign-on Challenge
◦ The enterprise typically uses access management to integrate applications in different
domains to an application portal, so that the end user can access applications without re-
authentication. Access management may work well for the applications within the data center
or within the same domain but cloud computing service providers are typically in external data
centers and located within a different domain, requiring a new SSO.
Authentication and Identity Management
◦ Impersonation: When the same password is used for various cloud services, an insider or an
attacker who can gain access to the password store might capture passwords and
impersonate users at other sites.
◦ Security of the stored credentials: Are they one-way hashed? What is the data store?
◦ No easy way to manage and administer cloud's access control via enterprises.
Heterogeneity
◦ Multiple service providers can coexist in clouds and collaborate to provide various services,
they might have different security approaches and privacy mechanisms.
◦ Lack of a trust framework to handle dynamic interactions between different service providers.
Access to Data
◦ Lack of well define constraints on OS services. For example, authorization to define access to
well-defined parts of the file system in a multi tenant cloud service.
12/29/2011
5. What is SAML
◦ SAML (Security Assertion Markup Language) an XML framework for exchanging security information
over a network. SAML provides a framework to implement a platform-neutral, secure and scalable
SSO solution.
Concepts Profiles
◦ Assertions: At the core of SAML, assertions are
used by an asserting party to communicate the
authentication, attributes and entitlement Bindings
information for a given subject. Assertions are
created by asserting parties also known as
Identity providers (idPs).
◦ Protocol: Request and response elements for Protocol
packaging assertions
◦ Bindings: Map SAML protocols to the lower level
transports that are used for the request/response Assertions
exchanges. Bindings define how the SAML
request and response messages described in
SAML protocols can be executed using SOAP
message exchanges.
◦ Profiles: Define combinations of assertions,
protocols and bindings that can be used for
specific use case.
◦ SAML in Web services security : SAML assertions
can be used in Web services security (WS-
Security) to secure Web services messages.
12/29/2011
6. Single sign-on (SSO)
◦ User logs in to abc.com and is authenticated.
◦ Same user tries to accesses def.com.
◦ def.com can ask abc.com if the user has already been authenticated.
◦ abc.com then sends back an SAML assertion statement indicating that the user in fact has been authenticated.
◦ Once def.com receives the SAML assertion statement, it allows the user to access its resources without asking the user to reenter
his identity information.
Distributed transaction service
◦ User buys a car from Cars.com.
◦ The same user then decides to buy automobile insurance from Insurance.com.
◦ Insurance.com sends an SAML assertion request, such as, Send me user profile to Cars.com, and Cars.com sends all the user profile information
it knows to Insurance.com in SAML assertion statements
Authorization service
◦ Works.com employee wants to order million worth of furniture from Office.com (their preferred supplier)
◦ When Office.com receives the purchase order it wants to know if the employee was authorized to submit this order and, if so, the maximum dollar
limit.
◦ When Office.com receives a purchase order from Office.com’s employee, it sends an SAML assertion request message to Works.com, which then
sends back an SAML assertion indicating that the employee was in fact is allowed to order the furniture, but the maximum amount was 500K.
Web service security
◦ Defines a set of SOAP header extensions for end-to-end SOAP messaging security.
◦ WS-Security supports multiple security models, such as username/password-based and certificate-based models.
◦ WS-Security describes how to encode Username Tokens, X.509 Tokens, SAML as well as how to include opaque encrypted keys.
Message integrity is provided by leveraging XML Signature and security tokens to ensure that messages have originated from the
appropriate sender and were not modified in transit.
◦ Message confidentiality leverages XML Encryption and security tokens to keep portions of a SOAP message confidential.
12/29/2011
7. What does it solve
◦ It solves the problem of exchanging security information. By the use of SAML assertions, security.
◦ Provides a mechanism to control access to resources for authenticated principals.
◦ Sharing information about a subject among service providers in a platform-agnostic way. SAML
allows secure exchange of messages between different services via PKI. For example, by signing a
message with the sender’s private key, it can be proven that the message was truly sent by the
sender.
◦ PKI can also be used for the distribution of symmetric keys protected by the receivers’ public keys,
solving the problem of distribution of keys.
12/29/2011
8. Opportunity
◦ Cloud computing is about gracefully losing control while maintaining accountability even if the
operational responsibility falls upon one or more third parties.
How can SAML address the problem
◦ Identity federation
SAML bridge that allows users to use IdPs to login into SAML enabled SaaS endpoints using SAML
assertion. SaaS services are configured to accept federated authentication using SAML from partner IdPs.
◦ Trust domains
In this solution a user can have different credentials in each application or cloud service. When these
applications and cloud services are in a chained trust domain, the SAML identity provider can reconcile
different identities allowing users to access different applications using their appropriate credentials.
◦ Token translation
In this solution a client has authenticated with idP. When the client tries to access a SaaS service a
Security Token Service converts the security token that was used locally into a standard SAML security
token containing the user's identity. This token is shared with the SaaS. The SaaS provider validates
incoming security tokens and generate a new local token for consumption by other applications.
◦ Delegated authentication
Using delegated authentication, the SaaS service provider does not user SAML assertions but instead
uses an external Web service to validate user credentials. When a user attempts to login, the platform
checks the user's profile to see if they are enabled for SSO. If so, it makes a Web services call to the
endpoint specified for the organization, asking it to validate the username and password.
12/29/2011
9. Single Sign-On with SalesForce
◦ When a user tries to log in, either online or using via API, Salesforce validates the
username and checks the user’s profile settings.
◦ If the user’s profile has the "Uses Single Sign-on" user permission, then Salesforce
does not authenticate the username with the password. Instead, a Web Services call is
made to the user’s single sign-on service, asking it to validate the username and
password.
◦ The Web Services call passes the username, password and source IP to a Web Service
defined for your organization. You must create and deploy an implementation of the
Web Service that can be accessed by Salesforce.com servers.
◦ Your implementation of the Web Service validates the passed information and returns
either "true" or "false.". If the response is "true," then the login process continues, a new
session is generated, and the user proceeds to the application. If "false" is returned,
then the user is informed that his or her username and password combination was
invalid.
12/29/2011
10. SecureAuth
◦ SecureAuth SAML delegated SSO
Apere
◦ dM4Cloud provides Agentless SSO as an extension to
logging into Active Directory
Intel
◦ Intel Expressway Cloud Access 360 provides an OpenID
- SAML bridge that allows users to use OpenID providers
such as Paypal to login into SAML enabled endpoints
such as Salesforce
12/29/2011