Geneva Application Security Forum: Vers une authentification plus forte dans les applications web"
1. OpenID & SAML,
OpenID & SAML
OpenID & SAML, SAML
OpenID &
Identity Federation, SuisseID
Identity Federation, SuisseID
Strong Authentication ServiceZukunft
StrongSign-On Konzepte mit
Single Authentication Service
Single-Sign-on Concepts with Future
&
Geneva Application Security Forum 2010
March 4th 2010
Robert Ott, Master of Science (Honors), CFO
Robert Ott
Fredi Weideli, Master of Computer Science, CTO
clavidOpenID Representative Switzerland
- ag, Zug
5180 CFO, Clavid AG, Switzerland
-
2. Agenda
• SECTION 1 OpenID - What is it? How does it work? Integration?
• SECTION 2 SAML - What is it? How does it work?
• SECTION 3 Identity Federation
• SECTION 4 A Word on SuisseID
• SECTION 5 Strong Authentication as a Service
• SECTION 6 Further Links / Conclusion / Q&A
Geneva Application Security Forum 2010, March 4th 2010
Page 2
3. SECTION 1
SECTION 1
OpenID
> What is it?
> How does it work?
> How to integrate?
Geneva Application Security Forum 2010, March 4th 2010
Page 3
4. OpenID - What is it?
> Internet SingleSignOn > Free Choice of Identity Provider
> Relatively Simple Protocol > No License Fee
> User-Centric Identity Management > Independent of Identification Methods
> Internet Scalable > Non-Profit Organization
Geneva Application Security Forum 2010, March 4th 2010
Page 4
5. OpenID - How does it work?
User Hans Muster
(Domain: www.iid.ch)
AUTHENTICATION
Identity Provider
e.g. clavid.ch
hans.muster.iid.ch
Identity URL
OpenID=hans.muster.iid.ch e.g. hans.muster.iid.ch
Enabled Service
Geneva Application Security Forum 2010, March 4th 2010
Page 5
6. OpenID - How does it work?
User Hans Muster
3
4, 4a Identity Provider
e.g. clavid.com
hans.muster.clavid.com 5 6
1 2 Identity URL
Caption https://hans.muster.clavid.com
1. User enters OpenID
2. Discovery
3. Authentication
4. Approval
4a. Change Attributes
5. Send Attributes
6. Validation Enabled Service
Geneva Application Security Forum 2010, March 4th 2010
Page 6
7. OpenID - How does it work?
Step 1: A user decides to use a personalized Internet Service supporting OpenID (e.g. local.ch). The user clicks on
„Login using OpenID“ and enters its OpenID (e.g. hans.muster.iid.ch).
Step 2: The requested Internet Service converts the OpenID into an URL (http://hans.muster.iid.ch) and requests
this URL in order to receive the Identity Provider of the user.
Step 2a: In this example, the user has delegated its OpenID to the Identity Provider clavid.ch.
Step 3: The Identity Provider provides possible authentication methods for that specific user (in this case
“Password”). Having successfully authenticated, the next step (approval) is initiated.
Step 4: The user decides on the values of the requested attributes to be provided to the Internet Service. The
Identity Provider usually provides user specific Personas (attribute templates) to assist the user in this
approval process.
Step 4a: At this point, the user may decide to change attribute values and store them on the Identity Provider for
future approvals for that specific service. Thus, a user can automate future approvals for specific Internet
Services.
Step 5, 6: The attribute values are then signed and communicated from the Identity Provider to the Internet
Service. The Internet Service validates the signature of the provided attributes and finally accepts the user
to be authenticated.
Geneva Application Security Forum 2010, March 4th 2010
Page 7
8. OpenID - How does it work?
Geneva Application Security Forum 2010, March 4th 2010
Page 8
9. OpenID - How does it work?
Geneva Application Security Forum 2010, March 4th 2010
Page 9
11. OpenID - How to Integrate?
Assumptions concerning your current Site
• Users sign in with their username and password
• There is a form, where new users have to register
• Each user is identified by a unique ID in your database
• A settings page let users manage their account info
Recipe
• Extend the database to map the OpenIDs to the user IDs
• Extend the registration page with an OpenID input field
• Extend the sign in page with an OpenID input field
• Extend the settings page to attach and detach openIDs
Geneva Application Security Forum 2010, March 4th 2010
Page 11
12. OpenID - How to Integrate?
Ingredients
• A OpenID Consumer Library
• The Standard OpenID Logos
• An OpenID Provider to test your site with
Geneva Application Security Forum 2010, March 4th 2010
Page 12
13. OpenID - How to Integrate?
OpenID Libraries
Language Library
C# DotNetOpenId, ExtremeSwank
C++ Libopkele
Java NetMesh InfoGrid LID, OpenID4Java, joid
Perl Net::OpenID, OpenID4Perl
Python JanRain
Ruby JanRain, Heraldry
PHP Jan Rain, Zend Framework OpenID Component, Saeven.net's JanRain
Service Utility Class, Taral, Simple Class, sfOpenIDPlugin, CakePHP,
EasyOpenID, OpenID For PHP, AuthOpenID Snippet
Coldfusion CFKit OpenID, CFOpenID, OpenID CFC
Apache 2 mod_auth_openid
Geneva Application Security Forum 2010, March 4th 2010
Page 13
14. SECTION 2
SECTION 2
SAML
>What is it?
>How does it work?
Geneva Application Security Forum 2010, March 4th 2010
Page 14
15. SAML – What is it?
SAML (Security Assertion Markup Language):
> Defined by the Oasis Group
> Well and Academically Designed Specification
> Uses XML Syntax
> Used for Authentication & Authorization
> SAML Assertions
> Statements: Authentication, Attribute, Authorization
> SAML Protocols
> Queries: Authentication, Artifact, Name Identifier Mapping, etc.
> SAML Bindings
> SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact
> SAML Profiles
> Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion
Query / Request Profile, Attribute Profile
Geneva Application Security Forum 2010, March 4th 2010
Page 15
16. SAML – How does it work?
User Hans Muster
AUTHENTICATION
Redirect with Identity Provider
<Response>
Redirect with e.g. clavid.ch
(signed Assertion)
<AuthnRequest>
Access
Resource
Enabled Service
e.g. Google Apps
for Business
Geneva Application Security Forum 2010, March 4th 2010
Page 16
17. SAML – How does it work?
User Hans Muster
3
2
4 Identity Provider
e.g. clavid.ch
4
2
1
6
Enabled Service
e.g. Google Apps
for Business
Geneva Application Security Forum 2010, March 4th 2010
Page 17
18. SAML – How does it work?
Step 1: A user decides to use a personalized Internet Service connected to a SAML based Identity
provider (e.g. Google Business Application Calendar).
Step 2: The Internet Service recognizes that the user is not logged in yet. A SAML <AuthnRequest>
is created and sent via redirect to the Identity Provider.
Step 3: The Identity Provider provides possible authentication methods for that specific user (in this
case “YubiKey” OTP). Having successfully authenticated, the next step is initiated.
Step 4: The Identity Provider creates a SAML <Response> containing the user’s identifier for the
specific target application. Then it signs the SAML <Response> and sends it via a Post-
Redirect to the Internet Services (e.g. Google Calendar)
Step 5: The Internet Service (e.g. Google Apps) verifies the signature of the SAML <Response>
and now knows the user’s identifier provided by the Identity Provider.
Step 6: The Internet Service can now be used by the user.
Geneva Application Security Forum 2010, March 4th 2010
Page 18
19. SAML – How does it work?
1) Call Application URL
3) Application Usage
2) Login
Geneva Application Security Forum 2010, March 4th 2010
Page 19
20. SECTION 3
SECTION 3
Identity Federation
Geneva Application Security Forum 2010, March 4th 2010
Page 20
21. B2B Identity Federation - The Protocol Problem
Company A
Intranet Internet Service A
Travel
Proprietary Token Ticket Shop
https Internet Service B
OpenID
Document
Management
SAML 1.0 Internet Service C
Personal
Recruting
SAML 2.0 SaaS Applications
Geneva Application Security Forum 2010, March 4th 2010
Page 21
22. B2B Identity Federation - The Protocol Mess
Company A
Intranet Internet Service A
Proprietary Token
OpenID Travel
Ticket Shop
SAML 1.0
https Internet Service B
SAML 2.0
Company B Document
Management
Intranet Proprietary Token
OpenID Internet Service C
SAML 1.0
Personal
https
SAML 2.0 Recruting
Company C
Proprietary Token SaaS Applications
Intranet
OpenID
SAML 1.0
https
SAML 2.0
Geneva Application Security Forum 2010, March 4th 2010
Page 22
23. B2B Identity Federation - The Protocol Solution
Company A
Intranet Internet Service A
Travel
Ticket Shop
https Internet Service B
Internet Identity
Provider Proprietary Token
Company B Proprietary Token Document
Identity Mapping Management
Intranet
OpenID
One Time Passw. (OTP)
Internet SSO
Internet Service C
Biometric (AXSioncs)
Mobile Phone (SMS)
eID (Identity Card)
OpenID SAML 1.0 Personal
https
SSL Certificates
Recruting
Internet SSO
Company C
SAML 2.0 SAML 2.0 SaaS Applications
https
Intranet
https
Geneva Application Security Forum 2010, March 4th 2010
Page 23
24. B2B Identity Federation - The Protocol Solution
Company A Company B
Intranet Intranet
https
https
Internet Identity
Provider
Proprietary Token SAML 1.0 Company C
Identity Federation Intranet
One Time Passw. (OTP)
Internet SSO
Internet SSO
Biometric (AXSioncs)
Mobile Phone (SMS)
eID (Identity Card)
SAML 2.0
https
SSL Certificates
https
https
Geneva Application Security Forum 2010, March 4th 2010
Page 24
25. SECTION 4
SECTION 4
A Word on SuisseID
Geneva Application Security Forum 2010, March 4th 2010
Page 25
26. A Word On SuisseID
• SuisseID is currently in Early Draft Specification Phase
• SuisseID should be available for public in spring 2010
• SuisseID cost will be refunded by the Government in 2010
• SuisseID will most probably be:
– A signature certificate
– An authentication certificate
– All certificates conform to ZertES
– Certificates contain a unique SuisseID number
– An Identity Provider Services for attribute exchange
• Eligible SuisseID certificate service providers will be:
– Swiss Post (SwissSign), Swisscom, QuiVadis, Swiss Government
Geneva Application Security Forum 2010, March 4th 2010
Page 26
27. A Word On SuisseID
Geneva Application Security Forum 2010, March 4th 2010
Page 27
28. SECTION 5
SECTION 5
Strong Authentication as a Service
Geneva Application Security Forum 2010, March 4th 2010
Page 28
29. OpenID - International Identity Providers
Username/Password
Certificates
Biometric
OTP
Geneva Application Security Forum 2010, March 4th 2010
Page 29
30. Clavid Portal for Strong Authentication
Geneva Application Security Forum 2010, March 4th 2010
Page 30
31. Clavid Portal - AXSionics
Geneva Application Security Forum 2010, March 4th 2010
Page 31
32. Clavid Portal - Yubikey
Geneva Application Security Forum 2010, March 4th 2010
Page 32
33. Clavid Portal - Certificates
Geneva Application Security Forum 2010, March 4th 2010
Page 33
34. Clavid Portal - One Time Password
OTP Methods:
• OATH HOTP (RFC4226)
• Challenge/Response (RFC2289)
• Mobile OTP (OpenSource Project)
• SMS
• ... others ...
Geneva Application Security Forum 2010, March 4th 2010
Page 34
35. Clavid Portal - Personas
Geneva Application Security Forum 2010, March 4th 2010
Page 35
36. Clavid Portal - Login Settings
Geneva Application Security Forum 2010, March 4th 2010
Page 36
37. Clavid Login Dialog
Geneva Application Security Forum 2010, March 4th 2010
Page 37
38. SECTION 6
SECTION 6
Conclusion
>Further References
>Questions & Answers
>Contact Information
Geneva Application Security Forum 2010, March 4th 2010
Page 38
39. Further Links: on OpenID
OpenID Identity Providers can be found at:
> http://en.wikipedia.org/wiki/OpenID
> http://en.wikipedia.org/wiki/List_of_OpenID_providers
> http://www.openiddirectory.com/openid-providers-c-1.html
> http://www.clavid.com/ (Strong Authentication in Europe)
Geneva Application Security Forum 2010, March 4th 2010
Page 39
40. Conclusion
> OpenID: An open, well documented specification allowing Internet Single
Sign-On (SSO) for individual “Public Services” (B2C)
> SAML: Trust based Internet and Intranet Single Sign-On for Business
Services (B2B)
> Professional Identity Providers already in place
> User Centric Identity Management already integrated
> Join OpenID Switzerland in order to increase the OpenID momentum
> Enable your Internet Services to support OpenID or SAML !!!
Geneva Application Security Forum 2010, March 4th 2010
Page 40
41. Demo
> SAML-Login to Google Business Apps using
AXSionics Fingerprint
> SAML-Login to Salesforce.com using YubiKey OTP
> OpenID login to local.ch using Swiss PostZertifikat
> Online Identity Administration (Clavid Portal)
Geneva Application Security Forum 2010, March 4th 2010
Page 41
42. Questions & Answers
Geneva Application Security Forum 2010, March 4th 2010
Page 42
43. Contact Information
Geneva Application Security Forum 2010, March 4th 2010
Page 43