SlideShare uma empresa Scribd logo

Saml in cloud

Transferir como PPTX, PDF
N
Nagraj Rao

Ideas on how to implement SAML and develop Security and Authentication in Cloud Computing

TecnologiaNegócios
1 de 11
Nagraj Rao Saturday, September 17, 2011 12/29/2011
 Cloud trends in the enterprise  Security challenges in cloud computing  SAML introduction  SAML Use Cases  Does SAML address the problem security challenges in cloud computing  Some SAML solutions  Example and Vendors 12/29/2011
 Cloud Computing defined ◦ Cloud computing is a computing model that allows the utilization of a computing infrastructure at one or more levels of abstraction, as an on-demand service made available over the Internet or other computer network.  Basic models for cloud computing ◦ Software as a Service (SaaS), where applications are hosted and delivered eg, Google Docs, SalesForce. ◦ Platform as a Service (PaaS), where the cloud provides the software platform for systems (as opposed to just software), the best current example being the Google App Engine. ◦ Infrastructure as a Service (IaaS), where a set of virtualized computing resources, such as storage and computing capacity, are hosted in the cloud; customers deploy and run their own software stacks to obtain services. Examples are Amazon Elastic Compute Cloud (EC2).  Why is it popular ◦ Cloud computing provides greater flexibility and availability at lower cost. 12/29/2011
 Single Sign-on Challenge ◦ The enterprise typically uses access management to integrate applications in different domains to an application portal, so that the end user can access applications without re- authentication. Access management may work well for the applications within the data center or within the same domain but cloud computing service providers are typically in external data centers and located within a different domain, requiring a new SSO.  Authentication and Identity Management ◦ Impersonation: When the same password is used for various cloud services, an insider or an attacker who can gain access to the password store might capture passwords and impersonate users at other sites. ◦ Security of the stored credentials: Are they one-way hashed? What is the data store? ◦ No easy way to manage and administer cloud's access control via enterprises.  Heterogeneity ◦ Multiple service providers can coexist in clouds and collaborate to provide various services, they might have different security approaches and privacy mechanisms. ◦ Lack of a trust framework to handle dynamic interactions between different service providers.  Access to Data ◦ Lack of well define constraints on OS services. For example, authorization to define access to well-defined parts of the file system in a multi tenant cloud service. 12/29/2011
 What is SAML ◦ SAML (Security Assertion Markup Language) an XML framework for exchanging security information over a network. SAML provides a framework to implement a platform-neutral, secure and scalable SSO solution.  Concepts Profiles ◦ Assertions: At the core of SAML, assertions are used by an asserting party to communicate the authentication, attributes and entitlement Bindings information for a given subject. Assertions are created by asserting parties also known as Identity providers (idPs). ◦ Protocol: Request and response elements for Protocol packaging assertions ◦ Bindings: Map SAML protocols to the lower level transports that are used for the request/response Assertions exchanges. Bindings define how the SAML request and response messages described in SAML protocols can be executed using SOAP message exchanges. ◦ Profiles: Define combinations of assertions, protocols and bindings that can be used for specific use case. ◦ SAML in Web services security : SAML assertions can be used in Web services security (WS- Security) to secure Web services messages. 12/29/2011
 Single sign-on (SSO) ◦ User logs in to abc.com and is authenticated. ◦ Same user tries to accesses def.com. ◦ def.com can ask abc.com if the user has already been authenticated. ◦ abc.com then sends back an SAML assertion statement indicating that the user in fact has been authenticated. ◦ Once def.com receives the SAML assertion statement, it allows the user to access its resources without asking the user to reenter his identity information.  Distributed transaction service ◦ User buys a car from Cars.com. ◦ The same user then decides to buy automobile insurance from Insurance.com. ◦ Insurance.com sends an SAML assertion request, such as, Send me user profile to Cars.com, and Cars.com sends all the user profile information it knows to Insurance.com in SAML assertion statements  Authorization service ◦ Works.com employee wants to order million worth of furniture from Office.com (their preferred supplier) ◦ When Office.com receives the purchase order it wants to know if the employee was authorized to submit this order and, if so, the maximum dollar limit. ◦ When Office.com receives a purchase order from Office.com’s employee, it sends an SAML assertion request message to Works.com, which then sends back an SAML assertion indicating that the employee was in fact is allowed to order the furniture, but the maximum amount was 500K.  Web service security ◦ Defines a set of SOAP header extensions for end-to-end SOAP messaging security. ◦ WS-Security supports multiple security models, such as username/password-based and certificate-based models. ◦ WS-Security describes how to encode Username Tokens, X.509 Tokens, SAML as well as how to include opaque encrypted keys. Message integrity is provided by leveraging XML Signature and security tokens to ensure that messages have originated from the appropriate sender and were not modified in transit. ◦ Message confidentiality leverages XML Encryption and security tokens to keep portions of a SOAP message confidential.  12/29/2011
 What does it solve ◦ It solves the problem of exchanging security information. By the use of SAML assertions, security. ◦ Provides a mechanism to control access to resources for authenticated principals. ◦ Sharing information about a subject among service providers in a platform-agnostic way. SAML allows secure exchange of messages between different services via PKI. For example, by signing a message with the sender’s private key, it can be proven that the message was truly sent by the sender. ◦ PKI can also be used for the distribution of symmetric keys protected by the receivers’ public keys, solving the problem of distribution of keys. 12/29/2011
 Opportunity ◦ Cloud computing is about gracefully losing control while maintaining accountability even if the operational responsibility falls upon one or more third parties.  How can SAML address the problem ◦ Identity federation  SAML bridge that allows users to use IdPs to login into SAML enabled SaaS endpoints using SAML assertion. SaaS services are configured to accept federated authentication using SAML from partner IdPs. ◦ Trust domains  In this solution a user can have different credentials in each application or cloud service. When these applications and cloud services are in a chained trust domain, the SAML identity provider can reconcile different identities allowing users to access different applications using their appropriate credentials. ◦ Token translation  In this solution a client has authenticated with idP. When the client tries to access a SaaS service a Security Token Service converts the security token that was used locally into a standard SAML security token containing the user's identity. This token is shared with the SaaS. The SaaS provider validates incoming security tokens and generate a new local token for consumption by other applications. ◦ Delegated authentication  Using delegated authentication, the SaaS service provider does not user SAML assertions but instead uses an external Web service to validate user credentials. When a user attempts to login, the platform checks the user's profile to see if they are enabled for SSO. If so, it makes a Web services call to the endpoint specified for the organization, asking it to validate the username and password. 12/29/2011
 Single Sign-On with SalesForce ◦ When a user tries to log in, either online or using via API, Salesforce validates the username and checks the user’s profile settings. ◦ If the user’s profile has the "Uses Single Sign-on" user permission, then Salesforce does not authenticate the username with the password. Instead, a Web Services call is made to the user’s single sign-on service, asking it to validate the username and password. ◦ The Web Services call passes the username, password and source IP to a Web Service defined for your organization. You must create and deploy an implementation of the Web Service that can be accessed by Salesforce.com servers. ◦ Your implementation of the Web Service validates the passed information and returns either "true" or "false.". If the response is "true," then the login process continues, a new session is generated, and the user proceeds to the application. If "false" is returned, then the user is informed that his or her username and password combination was invalid. 12/29/2011
 SecureAuth ◦ SecureAuth SAML delegated SSO  Apere ◦ dM4Cloud provides Agentless SSO as an extension to logging into Active Directory  Intel ◦ Intel Expressway Cloud Access 360 provides an OpenID - SAML bridge that allows users to use OpenID providers such as Paypal to login into SAML enabled endpoints such as Salesforce 12/29/2011
 http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf  http://www.sis.pitt.edu/~jjoshi/courses/IS2620/Spring11/cloud.pdf  https://cloudsecurityalliance.org/csaguide.pdf  http://www.hicss.hawaii.edu/hicss_44/bp44/st1.pdf 12/29/2011

Recomendados

SAML Smackdown
SAML SmackdownSAML Smackdown
SAML SmackdownPat Patterson
 
Introducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and PerformanceIntroducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and PerformanceAmin Saqi
 
SAML and Liferay
SAML and LiferaySAML and Liferay
SAML and LiferayMika Koivisto
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML Programming Talents
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
SAML 101
SAML 101SAML 101
SAML 101Echoworx
 

Recomendados

SAML Smackdown
SAML SmackdownSAML Smackdown
SAML SmackdownPat Patterson
 
Introducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and PerformanceIntroducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and PerformanceAmin Saqi
 
SAML and Liferay
SAML and LiferaySAML and Liferay
SAML and LiferayMika Koivisto
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML Programming Talents
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
SAML 101
SAML 101SAML 101
SAML 101Echoworx
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Introduction to SAML
Introduction to SAMLIntroduction to SAML
Introduction to SAMLClément OUDOT
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLJ V
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthMike Schwartz
 
IBM Single Sign-On
IBM Single Sign-OnIBM Single Sign-On
IBM Single Sign-OnVan Staub, MBA
 
Saml v2-OpenAM
Saml v2-OpenAMSaml v2-OpenAM
Saml v2-OpenAMPascal Flamand
 
Presentation
PresentationPresentation
PresentationLaxman Kumar
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementManish Harsh
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
Iam f42 a
Iam f42 aIam f42 a
Iam f42 aSelectedPresentations
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Ad fs
Ad fsAd fs
Ad fsIván Sanchez Vera
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthKashif Imran
 
Our road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlannerOur road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlannerTomasz Wójcik
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 
Federation Services
Federation ServicesFederation Services
Federation ServicesVicente Rodriguez Eguibar
 
SAML Executive Overview
SAML Executive OverviewSAML Executive Overview
SAML Executive OverviewPortalGuard
 
Secure cross cloud single sign-on (sso) using eid's
Secure cross cloud single sign-on (sso) using eid'sSecure cross cloud single sign-on (sso) using eid's
Secure cross cloud single sign-on (sso) using eid'sSwathi Rampur
 

Mais conteúdo relacionado

Mais procurados

Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLJ V
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthMike Schwartz
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementManish Harsh
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthKashif Imran
 
Our road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlannerOur road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlannerTomasz Wójcik
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 

Mais procurados (20)

Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
Introduction to SAML
Introduction to SAMLIntroduction to SAML
Introduction to SAML
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. Oauth
 
IBM Single Sign-On
IBM Single Sign-OnIBM Single Sign-On
IBM Single Sign-On
 
Saml v2-OpenAM
Saml v2-OpenAMSaml v2-OpenAM
Saml v2-OpenAM
 
Presentation
PresentationPresentation
Presentation
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy Management
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
 
Iam f42 a
Iam f42 aIam f42 a
Iam f42 a
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your Enterprise
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
Ad fs
Ad fsAd fs
Ad fs
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
 
SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims Auth
 
Our road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlannerOur road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlanner
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAML
 
Federation Services
Federation ServicesFederation Services
Federation Services
 

Semelhante a Saml in cloud

SAML Executive Overview
SAML Executive OverviewSAML Executive Overview
SAML Executive OverviewPortalGuard
 
Secure cross cloud single sign-on (sso) using eid's
Secure cross cloud single sign-on (sso) using eid'sSecure cross cloud single sign-on (sso) using eid's
Secure cross cloud single sign-on (sso) using eid'sSwathi Rampur
 
SaaS Security.pptx
SaaS Security.pptxSaaS Security.pptx
SaaS Security.pptxchelsi33
 
saassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdfsaassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdfSahilSingh316535
 
Amazon Web Services: Overview of Security Processes
Amazon Web Services: Overview of Security ProcessesAmazon Web Services: Overview of Security Processes
Amazon Web Services: Overview of Security Processeswhite paper
 
Exploring SAML 2.0-based federation in AWS.pptx
Exploring SAML 2.0-based federation in AWS.pptxExploring SAML 2.0-based federation in AWS.pptx
Exploring SAML 2.0-based federation in AWS.pptxInfosectrain3
 
Exploring SAML 2.0-based federation in AWS.pptx
Exploring SAML 2.0-based federation in AWS.pptxExploring SAML 2.0-based federation in AWS.pptx
Exploring SAML 2.0-based federation in AWS.pptxinfosec train
 
(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013STO STRATEGY
 
Hybrid Identity Management and Security for Large Enterprises (ENT307-R2) - A...
Hybrid Identity Management and Security for Large Enterprises (ENT307-R2) - A...Hybrid Identity Management and Security for Large Enterprises (ENT307-R2) - A...
Hybrid Identity Management and Security for Large Enterprises (ENT307-R2) - A...Amazon Web Services
 
DEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVE
DEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVEDEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVE
DEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVEcscpconf
 
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARINGSURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARINGEditor IJMTER
 
What is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfWhat is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfAngelicaPantaleon3
 
Spanning cloud services across azure and aws
Spanning cloud services across azure and awsSpanning cloud services across azure and aws
Spanning cloud services across azure and awsMohamed Wali
 
Soa Testing An Approach For Testing Security Aspects Of Soa Based Application
Soa Testing An Approach For Testing Security Aspects Of Soa Based ApplicationSoa Testing An Approach For Testing Security Aspects Of Soa Based Application
Soa Testing An Approach For Testing Security Aspects Of Soa Based ApplicationJaipal Naidu
 
ITU-T requirement for cloud and cloud deployment model
ITU-T requirement for cloud and cloud deployment modelITU-T requirement for cloud and cloud deployment model
ITU-T requirement for cloud and cloud deployment modelHitesh Mohapatra
 
Web Api services using IBM Datapower
Web Api services using IBM DatapowerWeb Api services using IBM Datapower
Web Api services using IBM DatapowerSigortam.net
 

Semelhante a Saml in cloud (20)

SAML Executive Overview
SAML Executive OverviewSAML Executive Overview
SAML Executive Overview
 
Secure cross cloud single sign-on (sso) using eid's
Secure cross cloud single sign-on (sso) using eid'sSecure cross cloud single sign-on (sso) using eid's
Secure cross cloud single sign-on (sso) using eid's
 
SaaS Security.pptx
SaaS Security.pptxSaaS Security.pptx
SaaS Security.pptx
 
saassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdfsaassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdf
 
Amazon Web Services: Overview of Security Processes
Amazon Web Services: Overview of Security ProcessesAmazon Web Services: Overview of Security Processes
Amazon Web Services: Overview of Security Processes
 
Exploring SAML 2.0-based federation in AWS.pptx
Exploring SAML 2.0-based federation in AWS.pptxExploring SAML 2.0-based federation in AWS.pptx
Exploring SAML 2.0-based federation in AWS.pptx
 
Exploring SAML 2.0-based federation in AWS.pptx
Exploring SAML 2.0-based federation in AWS.pptxExploring SAML 2.0-based federation in AWS.pptx
Exploring SAML 2.0-based federation in AWS.pptx
 
Saas security
Saas securitySaas security
Saas security
 
(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013
 
Hybrid Identity Management and Security for Large Enterprises (ENT307-R2) - A...
Hybrid Identity Management and Security for Large Enterprises (ENT307-R2) - A...Hybrid Identity Management and Security for Large Enterprises (ENT307-R2) - A...
Hybrid Identity Management and Security for Large Enterprises (ENT307-R2) - A...
 
DEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVE
DEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVEDEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVE
DEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVE
 
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARINGSURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
 
What is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfWhat is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdf
 
Web-services
Web-services Web-services
Web-services
 
Spanning cloud services across azure and aws
Spanning cloud services across azure and awsSpanning cloud services across azure and aws
Spanning cloud services across azure and aws
 
Cloud monitoring overview
Cloud monitoring overviewCloud monitoring overview
Cloud monitoring overview
 
50120130406006
5012013040600650120130406006
50120130406006
 
Soa Testing An Approach For Testing Security Aspects Of Soa Based Application
Soa Testing An Approach For Testing Security Aspects Of Soa Based ApplicationSoa Testing An Approach For Testing Security Aspects Of Soa Based Application
Soa Testing An Approach For Testing Security Aspects Of Soa Based Application
 
ITU-T requirement for cloud and cloud deployment model
ITU-T requirement for cloud and cloud deployment modelITU-T requirement for cloud and cloud deployment model
ITU-T requirement for cloud and cloud deployment model
 
Web Api services using IBM Datapower
Web Api services using IBM DatapowerWeb Api services using IBM Datapower
Web Api services using IBM Datapower
 

Último

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 

Último (20)

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 

Saml in cloud

  • 1. Nagraj Rao Saturday, September 17, 2011 12/29/2011
  • 2. Cloud trends in the enterprise  Security challenges in cloud computing  SAML introduction  SAML Use Cases  Does SAML address the problem security challenges in cloud computing  Some SAML solutions  Example and Vendors 12/29/2011
  • 3. Cloud Computing defined ◦ Cloud computing is a computing model that allows the utilization of a computing infrastructure at one or more levels of abstraction, as an on-demand service made available over the Internet or other computer network.  Basic models for cloud computing ◦ Software as a Service (SaaS), where applications are hosted and delivered eg, Google Docs, SalesForce. ◦ Platform as a Service (PaaS), where the cloud provides the software platform for systems (as opposed to just software), the best current example being the Google App Engine. ◦ Infrastructure as a Service (IaaS), where a set of virtualized computing resources, such as storage and computing capacity, are hosted in the cloud; customers deploy and run their own software stacks to obtain services. Examples are Amazon Elastic Compute Cloud (EC2).  Why is it popular ◦ Cloud computing provides greater flexibility and availability at lower cost. 12/29/2011
  • 4. Single Sign-on Challenge ◦ The enterprise typically uses access management to integrate applications in different domains to an application portal, so that the end user can access applications without re- authentication. Access management may work well for the applications within the data center or within the same domain but cloud computing service providers are typically in external data centers and located within a different domain, requiring a new SSO.  Authentication and Identity Management ◦ Impersonation: When the same password is used for various cloud services, an insider or an attacker who can gain access to the password store might capture passwords and impersonate users at other sites. ◦ Security of the stored credentials: Are they one-way hashed? What is the data store? ◦ No easy way to manage and administer cloud's access control via enterprises.  Heterogeneity ◦ Multiple service providers can coexist in clouds and collaborate to provide various services, they might have different security approaches and privacy mechanisms. ◦ Lack of a trust framework to handle dynamic interactions between different service providers.  Access to Data ◦ Lack of well define constraints on OS services. For example, authorization to define access to well-defined parts of the file system in a multi tenant cloud service. 12/29/2011
  • 5. What is SAML ◦ SAML (Security Assertion Markup Language) an XML framework for exchanging security information over a network. SAML provides a framework to implement a platform-neutral, secure and scalable SSO solution.  Concepts Profiles ◦ Assertions: At the core of SAML, assertions are used by an asserting party to communicate the authentication, attributes and entitlement Bindings information for a given subject. Assertions are created by asserting parties also known as Identity providers (idPs). ◦ Protocol: Request and response elements for Protocol packaging assertions ◦ Bindings: Map SAML protocols to the lower level transports that are used for the request/response Assertions exchanges. Bindings define how the SAML request and response messages described in SAML protocols can be executed using SOAP message exchanges. ◦ Profiles: Define combinations of assertions, protocols and bindings that can be used for specific use case. ◦ SAML in Web services security : SAML assertions can be used in Web services security (WS- Security) to secure Web services messages. 12/29/2011
  • 6. Single sign-on (SSO) ◦ User logs in to abc.com and is authenticated. ◦ Same user tries to accesses def.com. ◦ def.com can ask abc.com if the user has already been authenticated. ◦ abc.com then sends back an SAML assertion statement indicating that the user in fact has been authenticated. ◦ Once def.com receives the SAML assertion statement, it allows the user to access its resources without asking the user to reenter his identity information.  Distributed transaction service ◦ User buys a car from Cars.com. ◦ The same user then decides to buy automobile insurance from Insurance.com. ◦ Insurance.com sends an SAML assertion request, such as, Send me user profile to Cars.com, and Cars.com sends all the user profile information it knows to Insurance.com in SAML assertion statements  Authorization service ◦ Works.com employee wants to order million worth of furniture from Office.com (their preferred supplier) ◦ When Office.com receives the purchase order it wants to know if the employee was authorized to submit this order and, if so, the maximum dollar limit. ◦ When Office.com receives a purchase order from Office.com’s employee, it sends an SAML assertion request message to Works.com, which then sends back an SAML assertion indicating that the employee was in fact is allowed to order the furniture, but the maximum amount was 500K.  Web service security ◦ Defines a set of SOAP header extensions for end-to-end SOAP messaging security. ◦ WS-Security supports multiple security models, such as username/password-based and certificate-based models. ◦ WS-Security describes how to encode Username Tokens, X.509 Tokens, SAML as well as how to include opaque encrypted keys. Message integrity is provided by leveraging XML Signature and security tokens to ensure that messages have originated from the appropriate sender and were not modified in transit. ◦ Message confidentiality leverages XML Encryption and security tokens to keep portions of a SOAP message confidential.  12/29/2011
  • 7. What does it solve ◦ It solves the problem of exchanging security information. By the use of SAML assertions, security. ◦ Provides a mechanism to control access to resources for authenticated principals. ◦ Sharing information about a subject among service providers in a platform-agnostic way. SAML allows secure exchange of messages between different services via PKI. For example, by signing a message with the sender’s private key, it can be proven that the message was truly sent by the sender. ◦ PKI can also be used for the distribution of symmetric keys protected by the receivers’ public keys, solving the problem of distribution of keys. 12/29/2011
  • 8. Opportunity ◦ Cloud computing is about gracefully losing control while maintaining accountability even if the operational responsibility falls upon one or more third parties.  How can SAML address the problem ◦ Identity federation  SAML bridge that allows users to use IdPs to login into SAML enabled SaaS endpoints using SAML assertion. SaaS services are configured to accept federated authentication using SAML from partner IdPs. ◦ Trust domains  In this solution a user can have different credentials in each application or cloud service. When these applications and cloud services are in a chained trust domain, the SAML identity provider can reconcile different identities allowing users to access different applications using their appropriate credentials. ◦ Token translation  In this solution a client has authenticated with idP. When the client tries to access a SaaS service a Security Token Service converts the security token that was used locally into a standard SAML security token containing the user's identity. This token is shared with the SaaS. The SaaS provider validates incoming security tokens and generate a new local token for consumption by other applications. ◦ Delegated authentication  Using delegated authentication, the SaaS service provider does not user SAML assertions but instead uses an external Web service to validate user credentials. When a user attempts to login, the platform checks the user's profile to see if they are enabled for SSO. If so, it makes a Web services call to the endpoint specified for the organization, asking it to validate the username and password. 12/29/2011
  • 9. Single Sign-On with SalesForce ◦ When a user tries to log in, either online or using via API, Salesforce validates the username and checks the user’s profile settings. ◦ If the user’s profile has the "Uses Single Sign-on" user permission, then Salesforce does not authenticate the username with the password. Instead, a Web Services call is made to the user’s single sign-on service, asking it to validate the username and password. ◦ The Web Services call passes the username, password and source IP to a Web Service defined for your organization. You must create and deploy an implementation of the Web Service that can be accessed by Salesforce.com servers. ◦ Your implementation of the Web Service validates the passed information and returns either "true" or "false.". If the response is "true," then the login process continues, a new session is generated, and the user proceeds to the application. If "false" is returned, then the user is informed that his or her username and password combination was invalid. 12/29/2011
  • 10. SecureAuth ◦ SecureAuth SAML delegated SSO  Apere ◦ dM4Cloud provides Agentless SSO as an extension to logging into Active Directory  Intel ◦ Intel Expressway Cloud Access 360 provides an OpenID - SAML bridge that allows users to use OpenID providers such as Paypal to login into SAML enabled endpoints such as Salesforce 12/29/2011
  • 11. http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf  http://www.sis.pitt.edu/~jjoshi/courses/IS2620/Spring11/cloud.pdf  https://cloudsecurityalliance.org/csaguide.pdf  http://www.hicss.hawaii.edu/hicss_44/bp44/st1.pdf 12/29/2011