Enviar pesquisa
Carregar
E gov security_tut_session_9
•
1 gostou
•
455 visualizações
Mustafa Jarrar
Seguir
Tecnologia
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 53
Baixar agora
Baixar para ler offline
Recomendados
E gov security_tut_session_1
E gov security_tut_session_1
Mustafa Jarrar
Intalio’S Vision For An Open Source Bpm Suite
Intalio’S Vision For An Open Source Bpm Suite
Tomoaki Sawada
User Interface Patterns and Nuxeo
User Interface Patterns and Nuxeo
anicewick
Open iam technicalarchitecture-v3-a
Open iam technicalarchitecture-v3-a
Bibhuti Kr Jha +91-9810016292
Project midPoint or how a handful of fools fought the Giants
Project midPoint or how a handful of fools fought the Giants
Radovan Semancik
Evolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access management
Evolveum
Open source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con eu
Francesco Chicchiriccò
Apache Syncope 2.0 Enduser UI
Apache Syncope 2.0 Enduser UI
Andrea Patricelli
Recomendados
E gov security_tut_session_1
E gov security_tut_session_1
Mustafa Jarrar
Intalio’S Vision For An Open Source Bpm Suite
Intalio’S Vision For An Open Source Bpm Suite
Tomoaki Sawada
User Interface Patterns and Nuxeo
User Interface Patterns and Nuxeo
anicewick
Open iam technicalarchitecture-v3-a
Open iam technicalarchitecture-v3-a
Bibhuti Kr Jha +91-9810016292
Project midPoint or how a handful of fools fought the Giants
Project midPoint or how a handful of fools fought the Giants
Radovan Semancik
Evolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access management
Evolveum
Open source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con eu
Francesco Chicchiriccò
Apache Syncope 2.0 Enduser UI
Apache Syncope 2.0 Enduser UI
Andrea Patricelli
Nuxeo World Session: Case Management Framework
Nuxeo World Session: Case Management Framework
Nuxeo
Nuxeo ECM Platform - Technical Overview
Nuxeo ECM Platform - Technical Overview
Nuxeo
Identity Management with midPoint
Identity Management with midPoint
Radovan Semancik
Identity and Access Management Introduction
Identity and Access Management Introduction
Aidy Tificate
Understanding Document Managment Systems and Nuxeo
Understanding Document Managment Systems and Nuxeo
anicewick
Identity and Access Management 101
Identity and Access Management 101
Jerod Brennen
E gov security_tut_session_3
E gov security_tut_session_3
Mustafa Jarrar
E gov security_tut_session_12
E gov security_tut_session_12
Mustafa Jarrar
E gov security_tut_session_11
E gov security_tut_session_11
Mustafa Jarrar
Pal gov.tutorial6.session7.it contract
Pal gov.tutorial6.session7.it contract
Mustafa Jarrar
Section 508 & Accessibility - IDRAC 2014 - Timothy Creagon - US Access Board
Section 508 & Accessibility - IDRAC 2014 - Timothy Creagon - US Access Board
Virtual Ability, Inc.
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick Harding
Ping Identity
Bridging the Cloud Sign-On Gap
Bridging the Cloud Sign-On Gap
OracleIDM
ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)
ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)
EDINA, University of Edinburgh
Development of a Multi-eID access control system.
Development of a Multi-eID access control system.
ePractice.eu
Securing Microservices in Hybrid Cloud
Securing Microservices in Hybrid Cloud
VMware Tanzu
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
UnifyCloud
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Norm Barber
FIA Dublin Presentations: The role of APIs in exposing cross-device functiona...
FIA Dublin Presentations: The role of APIs in exposing cross-device functiona...
openi_ict
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
Paul Trevithick
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...
WSO2
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
Donald Malloy
Mais conteúdo relacionado
Destaque
Nuxeo World Session: Case Management Framework
Nuxeo World Session: Case Management Framework
Nuxeo
Nuxeo ECM Platform - Technical Overview
Nuxeo ECM Platform - Technical Overview
Nuxeo
Identity Management with midPoint
Identity Management with midPoint
Radovan Semancik
Identity and Access Management Introduction
Identity and Access Management Introduction
Aidy Tificate
Understanding Document Managment Systems and Nuxeo
Understanding Document Managment Systems and Nuxeo
anicewick
Identity and Access Management 101
Identity and Access Management 101
Jerod Brennen
Destaque
(6)
Nuxeo World Session: Case Management Framework
Nuxeo World Session: Case Management Framework
Nuxeo ECM Platform - Technical Overview
Nuxeo ECM Platform - Technical Overview
Identity Management with midPoint
Identity Management with midPoint
Identity and Access Management Introduction
Identity and Access Management Introduction
Understanding Document Managment Systems and Nuxeo
Understanding Document Managment Systems and Nuxeo
Identity and Access Management 101
Identity and Access Management 101
Semelhante a E gov security_tut_session_9
E gov security_tut_session_3
E gov security_tut_session_3
Mustafa Jarrar
E gov security_tut_session_12
E gov security_tut_session_12
Mustafa Jarrar
E gov security_tut_session_11
E gov security_tut_session_11
Mustafa Jarrar
Pal gov.tutorial6.session7.it contract
Pal gov.tutorial6.session7.it contract
Mustafa Jarrar
Section 508 & Accessibility - IDRAC 2014 - Timothy Creagon - US Access Board
Section 508 & Accessibility - IDRAC 2014 - Timothy Creagon - US Access Board
Virtual Ability, Inc.
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick Harding
Ping Identity
Bridging the Cloud Sign-On Gap
Bridging the Cloud Sign-On Gap
OracleIDM
ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)
ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)
EDINA, University of Edinburgh
Development of a Multi-eID access control system.
Development of a Multi-eID access control system.
ePractice.eu
Securing Microservices in Hybrid Cloud
Securing Microservices in Hybrid Cloud
VMware Tanzu
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
UnifyCloud
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Norm Barber
FIA Dublin Presentations: The role of APIs in exposing cross-device functiona...
FIA Dublin Presentations: The role of APIs in exposing cross-device functiona...
openi_ict
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
Paul Trevithick
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...
WSO2
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
Donald Malloy
Market Study on Mobile Authentication
Market Study on Mobile Authentication
FIDO Alliance
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...
mfrancis
508 and wcag 2 better together
508 and wcag 2 better together
Shaun Hoppel
eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
Jon Egley
Semelhante a E gov security_tut_session_9
(20)
E gov security_tut_session_3
E gov security_tut_session_3
E gov security_tut_session_12
E gov security_tut_session_12
E gov security_tut_session_11
E gov security_tut_session_11
Pal gov.tutorial6.session7.it contract
Pal gov.tutorial6.session7.it contract
Section 508 & Accessibility - IDRAC 2014 - Timothy Creagon - US Access Board
Section 508 & Accessibility - IDRAC 2014 - Timothy Creagon - US Access Board
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick Harding
Bridging the Cloud Sign-On Gap
Bridging the Cloud Sign-On Gap
ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)
ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)
Development of a Multi-eID access control system.
Development of a Multi-eID access control system.
Securing Microservices in Hybrid Cloud
Securing Microservices in Hybrid Cloud
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
FIA Dublin Presentations: The role of APIs in exposing cross-device functiona...
FIA Dublin Presentations: The role of APIs in exposing cross-device functiona...
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
Market Study on Mobile Authentication
Market Study on Mobile Authentication
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...
508 and wcag 2 better together
508 and wcag 2 better together
eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
Mais de Mustafa Jarrar
Clustering Arabic Tweets for Sentiment Analysis
Clustering Arabic Tweets for Sentiment Analysis
Mustafa Jarrar
Classifying Processes and Basic Formal Ontology
Classifying Processes and Basic Formal Ontology
Mustafa Jarrar
Discrete Mathematics Course Outline
Discrete Mathematics Course Outline
Mustafa Jarrar
Business Process Implementation
Business Process Implementation
Mustafa Jarrar
Business Process Design and Re-engineering
Business Process Design and Re-engineering
Mustafa Jarrar
BPMN 2.0 Analytical Constructs
BPMN 2.0 Analytical Constructs
Mustafa Jarrar
BPMN 2.0 Descriptive Constructs
BPMN 2.0 Descriptive Constructs
Mustafa Jarrar
Introduction to Business Process Management
Introduction to Business Process Management
Mustafa Jarrar
Customer Complaint Ontology
Customer Complaint Ontology
Mustafa Jarrar
Subset, Equality, and Exclusion Rules
Subset, Equality, and Exclusion Rules
Mustafa Jarrar
Schema Modularization in ORM
Schema Modularization in ORM
Mustafa Jarrar
On Computer Science Trends and Priorities in Palestine
On Computer Science Trends and Priorities in Palestine
Mustafa Jarrar
Lessons from Class Recording & Publishing of Eight Online Courses
Lessons from Class Recording & Publishing of Eight Online Courses
Mustafa Jarrar
Presentation curras paper-emnlp2014-final
Presentation curras paper-emnlp2014-final
Mustafa Jarrar
Jarrar: Future Internet in Horizon 2020 Calls
Jarrar: Future Internet in Horizon 2020 Calls
Mustafa Jarrar
Habash: Arabic Natural Language Processing
Habash: Arabic Natural Language Processing
Mustafa Jarrar
Adnan: Introduction to Natural Language Processing
Adnan: Introduction to Natural Language Processing
Mustafa Jarrar
Riestra: How to Design and engineer Competitive Horizon 2020 Proposals
Riestra: How to Design and engineer Competitive Horizon 2020 Proposals
Mustafa Jarrar
Bouquet: SIERA Workshop on The Pillars of Horizon2020
Bouquet: SIERA Workshop on The Pillars of Horizon2020
Mustafa Jarrar
Jarrar: Sparql Project
Jarrar: Sparql Project
Mustafa Jarrar
Mais de Mustafa Jarrar
(20)
Clustering Arabic Tweets for Sentiment Analysis
Clustering Arabic Tweets for Sentiment Analysis
Classifying Processes and Basic Formal Ontology
Classifying Processes and Basic Formal Ontology
Discrete Mathematics Course Outline
Discrete Mathematics Course Outline
Business Process Implementation
Business Process Implementation
Business Process Design and Re-engineering
Business Process Design and Re-engineering
BPMN 2.0 Analytical Constructs
BPMN 2.0 Analytical Constructs
BPMN 2.0 Descriptive Constructs
BPMN 2.0 Descriptive Constructs
Introduction to Business Process Management
Introduction to Business Process Management
Customer Complaint Ontology
Customer Complaint Ontology
Subset, Equality, and Exclusion Rules
Subset, Equality, and Exclusion Rules
Schema Modularization in ORM
Schema Modularization in ORM
On Computer Science Trends and Priorities in Palestine
On Computer Science Trends and Priorities in Palestine
Lessons from Class Recording & Publishing of Eight Online Courses
Lessons from Class Recording & Publishing of Eight Online Courses
Presentation curras paper-emnlp2014-final
Presentation curras paper-emnlp2014-final
Jarrar: Future Internet in Horizon 2020 Calls
Jarrar: Future Internet in Horizon 2020 Calls
Habash: Arabic Natural Language Processing
Habash: Arabic Natural Language Processing
Adnan: Introduction to Natural Language Processing
Adnan: Introduction to Natural Language Processing
Riestra: How to Design and engineer Competitive Horizon 2020 Proposals
Riestra: How to Design and engineer Competitive Horizon 2020 Proposals
Bouquet: SIERA Workshop on The Pillars of Horizon2020
Bouquet: SIERA Workshop on The Pillars of Horizon2020
Jarrar: Sparql Project
Jarrar: Sparql Project
Último
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
BookNet Canada
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
mohitsingh558521
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
ScyllaDB
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
LoriGlavin3
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
LoriGlavin3
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Slibray Presentation
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
NavinnSomaal
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Rizwan Syed
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
UiPathCommunity
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
Commit University
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
LoriGlavin3
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
BookNet Canada
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
Raghuram Pandurangan
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
Lars Bell
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
LoriGlavin3
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
Lonnie McRorey
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
Fwdays
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Alfredo García Lavilla
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
Stephanie Beckett
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
Último
(20)
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
E gov security_tut_session_9
1.
أكاديمية الحكومة اإللكترونية
الفلسطينية The Palestinian eGovernment Academy www.egovacademy.ps Security Tutorial Sessions 9 PalGov © 2011 1
2.
About This tutorial is
part of the PalGov project, funded by the TEMPUS IV program of the Commission of the European Communities, grant agreement 511159-TEMPUS-1- 2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.ps Project Consortium: Birzeit University, Palestine University of Trento, Italy (Coordinator ) Palestine Polytechnic University, Palestine Vrije Universiteit Brussel, Belgium Palestine Technical University, Palestine Université de Savoie, France Ministry of Telecom and IT, Palestine University of Namur, Belgium Ministry of Interior, Palestine TrueTrust, UK Ministry of Local Government, Palestine Coordinator: Dr. Mustafa Jarrar Birzeit University, P.O.Box 14- Birzeit, Palestine Telfax:+972 2 2982935 mjarrar@birzeit.eduPalGov © 2011 2
3.
© Copyright Notes Everyone
is encouraged to use this material, or part of it, but should properly cite the project (logo and website), and the author of that part. No part of this tutorial may be reproduced or modified in any form or by any means, without prior written permission from the project, who have the full copyrights on the material. Attribution-NonCommercial-ShareAlike CC-BY-NC-SA This license lets others remix, tweak, and build upon your work non- commercially, as long as they credit you and license their new creations under the identical terms. PalGov © 2011 3
4.
Tutorial 5:
Information Security Session 9: Federated Identity Management (FIM) Session 9 Outline: • Session 9 ILO’s. • Federated Identity Management. PalGov © 2011 4
5.
Tutorial 5: Session
9: (FIM) - ILOs This session will contribute to the following ILOs: • A: Knowledge and Understanding • Understanding of the concepts underlying Secure Information Systems. • Have an understanding of the various techniques used in identity management; • Understand the motivation, design, operation and management of modern systems for encryption, authentication, authorization and identification. • B: Intellectual Skills • Design end-to-end secure and available systems. • The ability to analyze the information security requirements of an organization. • D: Intellectual Skills • Analysis and identification skills. PalGov © 2011 5
6.
Tutorial 5:
Information Security Session 9: Federated Identity Management (FIM) Session 9 Outline: • Session 9 ILO’s. • Federated Identity Management. PalGov © 2011 6
7.
Federated Identity Management. •
Introduction • Overview of HTTP authentications, Cookies, MS Passports and Captchas. • Trust Domains and Access Cases. • FIM Definitions and Concept • FIM examples PalGov © 2011 7
8.
Introduction (1) • Many
recognized sensitive but unclassified (SBU) networks and information systems like different ministries and entities in Palestine. • Each invested in technology, governance structures, policies and trust relationships but are not interoperable with each other. PalGov © 2011 8
9.
Introduction (2) • Need
to ensure that the right individuals have access to the authorized resources they need regardless of where they reside in the enterprise • Example: the driving license renewal example given in tutorial 1. PalGov © 2011 9
10.
Introduction (3) • Security
and privacy of information are major impediments to information exchange and system interoperability • Users must subscribe to multiple sites and manage multiple security credentials in order to get access to the resources they need at different ministries • Expensive, frustrating for users, and not scalable PalGov © 2011 10
11.
Federated Identity Management. •
Introduction • Overview of HTTP authentications and Cookies. • Trust Domains and Access Cases. • FIM Definitions and Concept • FIM examples PalGov © 2011 11
12.
But first some
background info HTTP Cookies • Cookies – allow a web server/site to store state information for itself (often encrypted) on the user’s browser • A site can store many cookies, and the client should return them all when it returns to the site • Often used to enable SSO, since the site can tell if a user is already authenticated or not PalGov © 2011 12
13.
HTTP Redirect and
Form-POST • Http Redirect – allows one server to pass information to another server via the browser, as info in a URL • Http Form-POST – one server builds a form with an action to POST it to another server, delivers the form to the browser in the message body, which then submits it to the other server PalGov © 2011 13
14.
Privacy Protection - •
User can choose to share e-mail address, name and other profile information with all participating sites (but must be same for all sites) PalGov © 2011 14
15.
CAPTCHAs • Completely Automated
Public Turing test to tell Computers and Humans Apart • Designed to stop automated user registration programs and possible DOS attack by flooding registration process • User is asked to type in some characters, that most programs are incapable of reading PalGov © 2011 15
16.
Federated Identity Management. •
Introduction • Overview of HTTP authentications and Cookies, • Trust Domains and Access Cases. • FIM Definitions and Concept • FIM examples PalGov © 2011 16
17.
Trust Domains Definition Trust
domains describe the boundaries of a security infrastructure operating under a consistent set of policies, governance, and technology mechanisms. Trust Domain 2 Trust Domain 1 ? PalGov © 2011 17
18.
Problems with Trust
Domains Problem: •Authentication and Authorization are typically recognized only within a given trust domain, unless..... What is required to achieve interoperability across different Trust Domains? PalGov © 2011 18
19.
Different Access Cases •Case
1 : One user Access one application or service. •Case 2: One user accessing many applications •Case 3 :Many users accessing many applications PalGov © 2011 19
20.
Case 1:
One user accessing one application Steps in provisioning access: • Vetting (who are you?) • Permissions (what can you access?) • Credentials (how do I know it’s you? – passwords, smart cards, etc.) Access requires authentication of Application and credentials Services PalGov © 2011 20
21.
Case 2:
One user accessing many applications Steps in provisioning access: ×N • Vetting • Permissions • Credentials RESULT: • Each application must perform all steps above • User must keep track of N sets of credentials PalGov © 2011 21
22.
Case 3: Many
users accessing many applications Steps in provisioning access: Too many ×M×N • Vetting operations!! • Permissions • Credentials RESULTS: • Multifactor credentials & vetting become too expensive • Vetting & credentials not done well. • Vetting too far from user to be kept up to date effectively • High barrier to access PalGov © 2011 22
23.
If not checked
correctly !!! 1. John Wandelt, Georgia Tech Research Institute (GTRI), August 2007, www.it.ojp.gov/GFIPM PalGov © 2011 23
24.
Proposed Solution (1)
Provisioning identity and user attributes (vetting and credentialing) with the organization (×M users) Applications make access and authorization decisions based on trusted federation credentials and user attributes PalGov © 2011 24
25.
Proposed Solution (2) •
Huge savings in vetting and credentialing M<<M×N • Vetting is better – closer to the user since own organization does vetting • Credentialing is better – can afford multifactor • Each users only needs one credential (Single sign-on) • Lower barriers to access – more access. PalGov © 2011 25
26.
Federated Identity Management. •
Introduction • Overview of HTTP authentications, Cookies. • Trust Domains and Access Cases. • FIM Definitions and Concept • FIM examples PalGov © 2011 26
27.
Some Definitions • Identity:
– A whole set of attributes that in combination uniquely characterise a person – hair colour, sound of their voice, height, name, qualifications, past actions, reputation etc. • Attribute: – a property, quality or characteristic of an entity • Identifier: – a string used to uniquely identify an entity in a domain. Often used as login id or primary key in a database. A special type of attribute since it is usually the only one on its own that can uniquely identify an entity in a domain. – X.500/LDAP DNs, IP addresses, DNS names, URIs, key IDs, login IDs, 128 bit random numbers are all identifiers. PalGov © 2011 27
28.
Some Definitions (2) •
Attribute assertion: – Statement made by an authority that an entity has a particular attribute. An authority can be the entity itself or a (trusted) third party. • Attribute certificate/authorisation credential: – Cryptographically protected (usually digitally signed) attribute assertion that can be validated • Attribute authority (AA): – An authoritative source for asserting attributes about entities • Service provider: – An entity that provides a service to clients • Identity provider: – An entity that provides an authentication service, and is often also an AA for a set of identity attributes of its users PalGov © 2011 28
29.
FIM Definition From the
RSA Web Site • “A federated identity is a single user identity that can be used to access a group of web sites bound by the ties of federation. Without federated identity, users are forced to manage different credentials for every site they use. This collection of IDs and passwords becomes difficult to manage and control over time, offering inroads for identity theft.” • “Federated identity management builds on a trust relationship established between an organization and a person. A federated identity makes it possible for the end user to use one trust relationship to access information with another, related company without establishing new credentials.” PalGov © 2011 29
30.
FIM Definition (cont) •
From Microsoft’s web site • “Federated systems need to interoperate across organizational boundaries and connect processes utilizing different technologies, identity storage, security approaches and programming models. Within a federated system, identities and their associated credentials are still stored, owned and managed separately. Each individual member of the federation continues to manage its own identities, but is capable of securely sharing and accepting identities and credentials from other members' sources.” • From IBM Tivoli’s web site • “Federated identity management can be defined as an industry framework built on top of industry standards that let subscribers from disparate organizations use their internal identification data to obtain access to the networks of all enterprises in the group”. • SO WHAT IS FIM? PalGov © 2011 30
31.
FIM Process • Identifiers
are assigned within a domain to uniquely identify an entity. They usually have no meaning outside of the domain of issuance • FIM requires identity information to be passed between domains, therefore – We need to pass (signed) attribute assertions between domains in order to identify and authorise users between domains. – FIM is not just Single Sign On, although SSO is part of FIM. Why? PalGov © 2011 31
32.
A better FIM
Definition • A group of organisations (ministries, associations, municipalities etc...) that set up trust relationships which allow them to send attribute assertions about users identities between themselves, in order to grant users access to their resources • A user can use his credentials (with AAA concept) from one or more identity providers to gain access to other sites (service providers) within the federation • Can we use it for e-gov in Palestine !! PalGov © 2011 32
33.
User-to-Application
PalGov © 2011 33
34.
System-to-System
PalGov © 2011 34
35.
Credentials • Authentic credentials
are ones that have not been tampered with and are received exactly as issued by the issuing authority • Valid credentials are ones that are trusted for use by the target resource site PalGov © 2011 35
36.
Federated Identity Management. •
Introduction • Overview of HTTP authentications, Cookies. • Trust Domains and Access Cases. • FIM Definitions and Concept • FIM Examples. PalGov © 2011 36
37.
FIM Examples • Old
Systems – Microsoft’s Passport – UK Athens • Current FIM Systems – Shibboleth – Oauth – Liberty Alliance – Cardspace – Higgins – OpenID PalGov © 2011 37
38.
Exampe1: Microsoft’s .NET
Passport • .NET Passport is an authentication system that allows users to access multiple sites using the same credentials • Each site remains in charge of its own authorisation, and may use Passport information to help in this • How does it work? Users register at a site, but their credentials and profile information are stored centrally by Microsoft at the Passport server. This means that sites must trust Microsoft to hold user credentials and authenticate users correctly. PalGov © 2011 38
39.
The Registration Process
Passport site stores user credential and profile information, and allocates the user a unique 64 bit Passport User ID (PUID) PalGov © 2011 39
40.
Credentials referenced by
Passports UID • The following are mandatory: e-mail address (unique identifier) and password • The following are optional: secret questions and answers, mobile phone number and PIN, security key • The following attributes are stored by Passport if the participating sites require it, and are shared between sites if the user opts-in – Birth Date, Country / Region, First Name, Gender, Last Name, Occupation, Postal Code, Preferred Language, State, Time Zone PalGov © 2011 40
41.
.NET Passport Authentication
PalGov © 2011 41
42.
Intra-Site Authentication Process •
When a user moves to another Participating Site (step 1), the site redirect the user to the Passport site (step 2) • The user’s client sends the Authentication cookie and Profile cookie to Passport during redirection. Passport then knows the user has already successfully authenticated (modified step 2) PalGov © 2011 42
43.
Intra-Site Authentication Process •
The Participating Sites cookie on the user’s machine is updated by Passport and the user is redirected back to the Participating Site (step 5) • The Participating Site receives the encrypted tokens from Passport and knows the user has been authenticated (step 6) • When the user logs out of Passport, all cookies are deleted and the Participating Sites cookie is used to clean up all Participating sites computers PalGov © 2011 43
44.
Disadvantages of MS
Passport ? • Because all user transactions have to involve Microsoft, as it is responsible for authenticating all users. • Why should Microsoft be involved in a federation between a car hire company and a hotel? It might be OK for Microsoft related site federations such as Hotmail and MSN, but not for all federations between all commercial companies. • Also the protocol used by Passport was developed by Microsoft therefore was not an international standard. • Passport has now been superseded by Windows Live ID, which is an identity meta-system that provides support for Passport, CardSpace and OpenID PalGov © 2011 44
45.
Example 2: Shibboleth •
Internet2 consortium project • Uses an OASIS standard protocol (SAML) for authentication at home site and authorisation via a set of user attributes provided by home site • provides users access to remote resources PalGov © 2011 45
46.
Shibboleth Access Stages •
Obtaining an authentication assertion for a user from his home site (IdP) • Using this to get a set of attribute assertions for the user • The two messages can be combined into one exchange to make the protocol more efficient PalGov © 2011 46
47.
User Authentication using
Shibboleth [2] Identity Provider Authentication WAYF Web Service Service 5. SHIB SP Signed Authn User Assertion 6. Attribute Authority PalGov © 2011 47
48.
The WAYF Service
PalGov © 2011 48
49.
Authorization using Shibboleth
[2] Authn Service Web Service User 10. SHIB SP 9. Attributes Authz service AA Server SHIB IdP PalGov © 2011 49
50.
Shibboleth disadvantages • Single
attribute authority to the service provider • Subject to phishing attacks. • No single sign off • Credentials can be stolen from a browser and used by an imposter. • Shibboleth cannot be used for services that need to know who the user is for service personalisation. PalGov © 2011 50
51.
Bibliography 1. John Wandelt,
Georgia Tech Research Institute (GTRI), August 2007, www.it.ojp.gov/GFIPM 2. Lecture Notes by David Chadwick 2011, True-Trust Ltd. 3. http://shibboleth.internet2.edu/ PalGov © 2011 51
52.
Summary • In this
session we discussed the following: – Federated Identity Management with different examples. PalGov © 2011 52
53.
Thanks
Dr. Radwan Tahboub PalGov © 2011 53
Baixar agora