SlideShare uma empresa Scribd logo

Geneva Application Security Forum: Vers une authentification plus forte dans les applications web"

Sylvain Maret
Sylvain Maret

SAML OpenID ClavID OWASP

1 de 43
Baixar para ler offline
OpenID & SAML, OpenID & SAML OpenID & SAML, SAML OpenID & Identity Federation, SuisseID Identity Federation, SuisseID Strong Authentication ServiceZukunft StrongSign-On Konzepte mit Single Authentication Service Single-Sign-on Concepts with Future & Geneva Application Security Forum 2010 March 4th 2010 Robert Ott, Master of Science (Honors), CFO Robert Ott Fredi Weideli, Master of Computer Science, CTO clavidOpenID Representative Switzerland - ag, Zug 5180 CFO, Clavid AG, Switzerland -
Agenda • SECTION 1 OpenID - What is it? How does it work? Integration? • SECTION 2 SAML - What is it? How does it work? • SECTION 3 Identity Federation • SECTION 4 A Word on SuisseID • SECTION 5 Strong Authentication as a Service • SECTION 6 Further Links / Conclusion / Q&A Geneva Application Security Forum 2010, March 4th 2010 Page 2
SECTION 1 SECTION 1 OpenID > What is it? > How does it work? > How to integrate? Geneva Application Security Forum 2010, March 4th 2010 Page 3
OpenID - What is it? > Internet SingleSignOn > Free Choice of Identity Provider > Relatively Simple Protocol > No License Fee > User-Centric Identity Management > Independent of Identification Methods > Internet Scalable > Non-Profit Organization Geneva Application Security Forum 2010, March 4th 2010 Page 4
OpenID - How does it work? User Hans Muster (Domain: www.iid.ch) AUTHENTICATION Identity Provider e.g. clavid.ch hans.muster.iid.ch Identity URL OpenID=hans.muster.iid.ch e.g. hans.muster.iid.ch Enabled Service Geneva Application Security Forum 2010, March 4th 2010 Page 5
OpenID - How does it work? User Hans Muster 3 4, 4a Identity Provider e.g. clavid.com hans.muster.clavid.com 5 6 1 2 Identity URL Caption https://hans.muster.clavid.com 1. User enters OpenID 2. Discovery 3. Authentication 4. Approval 4a. Change Attributes 5. Send Attributes 6. Validation Enabled Service Geneva Application Security Forum 2010, March 4th 2010 Page 6
OpenID - How does it work? Step 1: A user decides to use a personalized Internet Service supporting OpenID (e.g. local.ch). The user clicks on „Login using OpenID“ and enters its OpenID (e.g. hans.muster.iid.ch). Step 2: The requested Internet Service converts the OpenID into an URL (http://hans.muster.iid.ch) and requests this URL in order to receive the Identity Provider of the user. Step 2a: In this example, the user has delegated its OpenID to the Identity Provider clavid.ch. Step 3: The Identity Provider provides possible authentication methods for that specific user (in this case “Password”). Having successfully authenticated, the next step (approval) is initiated. Step 4: The user decides on the values of the requested attributes to be provided to the Internet Service. The Identity Provider usually provides user specific Personas (attribute templates) to assist the user in this approval process. Step 4a: At this point, the user may decide to change attribute values and store them on the Identity Provider for future approvals for that specific service. Thus, a user can automate future approvals for specific Internet Services. Step 5, 6: The attribute values are then signed and communicated from the Identity Provider to the Internet Service. The Internet Service validates the signature of the provided attributes and finally accepts the user to be authenticated. Geneva Application Security Forum 2010, March 4th 2010 Page 7
OpenID - How does it work? Geneva Application Security Forum 2010, March 4th 2010 Page 8
OpenID - How does it work? Geneva Application Security Forum 2010, March 4th 2010 Page 9
OpenID - User Centric Identity Management TOMORROW ? FUTURE ? TODAY OpenID Provider Username Username Password Password Username Username Password Password Geneva Application Security Forum 2010, March 4th 2010 Page 10
OpenID - How to Integrate? Assumptions concerning your current Site • Users sign in with their username and password • There is a form, where new users have to register • Each user is identified by a unique ID in your database • A settings page let users manage their account info Recipe • Extend the database to map the OpenIDs to the user IDs • Extend the registration page with an OpenID input field • Extend the sign in page with an OpenID input field • Extend the settings page to attach and detach openIDs Geneva Application Security Forum 2010, March 4th 2010 Page 11
OpenID - How to Integrate? Ingredients • A OpenID Consumer Library • The Standard OpenID Logos • An OpenID Provider to test your site with Geneva Application Security Forum 2010, March 4th 2010 Page 12
OpenID - How to Integrate? OpenID Libraries Language Library C# DotNetOpenId, ExtremeSwank C++ Libopkele Java NetMesh InfoGrid LID, OpenID4Java, joid Perl Net::OpenID, OpenID4Perl Python JanRain Ruby JanRain, Heraldry PHP Jan Rain, Zend Framework OpenID Component, Saeven.net's JanRain Service Utility Class, Taral, Simple Class, sfOpenIDPlugin, CakePHP, EasyOpenID, OpenID For PHP, AuthOpenID Snippet Coldfusion CFKit OpenID, CFOpenID, OpenID CFC Apache 2 mod_auth_openid Geneva Application Security Forum 2010, March 4th 2010 Page 13
SECTION 2 SECTION 2 SAML >What is it? >How does it work? Geneva Application Security Forum 2010, March 4th 2010 Page 14
SAML – What is it? SAML (Security Assertion Markup Language): > Defined by the Oasis Group > Well and Academically Designed Specification > Uses XML Syntax > Used for Authentication & Authorization > SAML Assertions > Statements: Authentication, Attribute, Authorization > SAML Protocols > Queries: Authentication, Artifact, Name Identifier Mapping, etc. > SAML Bindings > SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact > SAML Profiles > Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query / Request Profile, Attribute Profile Geneva Application Security Forum 2010, March 4th 2010 Page 15
SAML – How does it work? User Hans Muster AUTHENTICATION Redirect with Identity Provider <Response> Redirect with e.g. clavid.ch (signed Assertion) <AuthnRequest> Access Resource Enabled Service e.g. Google Apps for Business Geneva Application Security Forum 2010, March 4th 2010 Page 16
SAML – How does it work? User Hans Muster 3 2 4 Identity Provider e.g. clavid.ch 4 2 1 6 Enabled Service e.g. Google Apps for Business Geneva Application Security Forum 2010, March 4th 2010 Page 17
SAML – How does it work? Step 1: A user decides to use a personalized Internet Service connected to a SAML based Identity provider (e.g. Google Business Application Calendar). Step 2: The Internet Service recognizes that the user is not logged in yet. A SAML <AuthnRequest> is created and sent via redirect to the Identity Provider. Step 3: The Identity Provider provides possible authentication methods for that specific user (in this case “YubiKey” OTP). Having successfully authenticated, the next step is initiated. Step 4: The Identity Provider creates a SAML <Response> containing the user’s identifier for the specific target application. Then it signs the SAML <Response> and sends it via a Post- Redirect to the Internet Services (e.g. Google Calendar) Step 5: The Internet Service (e.g. Google Apps) verifies the signature of the SAML <Response> and now knows the user’s identifier provided by the Identity Provider. Step 6: The Internet Service can now be used by the user. Geneva Application Security Forum 2010, March 4th 2010 Page 18
SAML – How does it work? 1) Call Application URL 3) Application Usage 2) Login Geneva Application Security Forum 2010, March 4th 2010 Page 19
SECTION 3 SECTION 3 Identity Federation Geneva Application Security Forum 2010, March 4th 2010 Page 20
B2B Identity Federation - The Protocol Problem Company A Intranet Internet Service A Travel Proprietary Token Ticket Shop https Internet Service B OpenID Document Management SAML 1.0 Internet Service C Personal Recruting SAML 2.0 SaaS Applications Geneva Application Security Forum 2010, March 4th 2010 Page 21
B2B Identity Federation - The Protocol Mess Company A Intranet Internet Service A Proprietary Token OpenID Travel Ticket Shop SAML 1.0 https Internet Service B SAML 2.0 Company B Document Management Intranet Proprietary Token OpenID Internet Service C SAML 1.0 Personal https SAML 2.0 Recruting Company C Proprietary Token SaaS Applications Intranet OpenID SAML 1.0 https SAML 2.0 Geneva Application Security Forum 2010, March 4th 2010 Page 22
B2B Identity Federation - The Protocol Solution Company A Intranet Internet Service A Travel Ticket Shop https Internet Service B Internet Identity Provider Proprietary Token Company B Proprietary Token Document Identity Mapping Management Intranet OpenID One Time Passw. (OTP) Internet SSO Internet Service C Biometric (AXSioncs) Mobile Phone (SMS) eID (Identity Card) OpenID SAML 1.0 Personal https SSL Certificates Recruting Internet SSO Company C SAML 2.0 SAML 2.0 SaaS Applications https Intranet https Geneva Application Security Forum 2010, March 4th 2010 Page 23
B2B Identity Federation - The Protocol Solution Company A Company B Intranet Intranet https https Internet Identity Provider Proprietary Token SAML 1.0 Company C Identity Federation Intranet One Time Passw. (OTP) Internet SSO Internet SSO Biometric (AXSioncs) Mobile Phone (SMS) eID (Identity Card) SAML 2.0 https SSL Certificates https https Geneva Application Security Forum 2010, March 4th 2010 Page 24
SECTION 4 SECTION 4 A Word on SuisseID Geneva Application Security Forum 2010, March 4th 2010 Page 25
A Word On SuisseID • SuisseID is currently in Early Draft Specification Phase • SuisseID should be available for public in spring 2010 • SuisseID cost will be refunded by the Government in 2010 • SuisseID will most probably be: – A signature certificate – An authentication certificate – All certificates conform to ZertES – Certificates contain a unique SuisseID number – An Identity Provider Services for attribute exchange • Eligible SuisseID certificate service providers will be: – Swiss Post (SwissSign), Swisscom, QuiVadis, Swiss Government Geneva Application Security Forum 2010, March 4th 2010 Page 26
A Word On SuisseID Geneva Application Security Forum 2010, March 4th 2010 Page 27
SECTION 5 SECTION 5 Strong Authentication as a Service Geneva Application Security Forum 2010, March 4th 2010 Page 28
OpenID - International Identity Providers Username/Password Certificates Biometric OTP Geneva Application Security Forum 2010, March 4th 2010 Page 29
Clavid Portal for Strong Authentication Geneva Application Security Forum 2010, March 4th 2010 Page 30
Clavid Portal - AXSionics Geneva Application Security Forum 2010, March 4th 2010 Page 31
Clavid Portal - Yubikey Geneva Application Security Forum 2010, March 4th 2010 Page 32
Clavid Portal - Certificates Geneva Application Security Forum 2010, March 4th 2010 Page 33
Clavid Portal - One Time Password OTP Methods: • OATH HOTP (RFC4226) • Challenge/Response (RFC2289) • Mobile OTP (OpenSource Project) • SMS • ... others ... Geneva Application Security Forum 2010, March 4th 2010 Page 34
Clavid Portal - Personas Geneva Application Security Forum 2010, March 4th 2010 Page 35
Clavid Portal - Login Settings Geneva Application Security Forum 2010, March 4th 2010 Page 36
Clavid Login Dialog Geneva Application Security Forum 2010, March 4th 2010 Page 37
SECTION 6 SECTION 6 Conclusion >Further References >Questions & Answers >Contact Information Geneva Application Security Forum 2010, March 4th 2010 Page 38
Further Links: on OpenID OpenID Identity Providers can be found at: > http://en.wikipedia.org/wiki/OpenID > http://en.wikipedia.org/wiki/List_of_OpenID_providers > http://www.openiddirectory.com/openid-providers-c-1.html > http://www.clavid.com/ (Strong Authentication in Europe) Geneva Application Security Forum 2010, March 4th 2010 Page 39
Conclusion > OpenID: An open, well documented specification allowing Internet Single Sign-On (SSO) for individual “Public Services” (B2C) > SAML: Trust based Internet and Intranet Single Sign-On for Business Services (B2B) > Professional Identity Providers already in place > User Centric Identity Management already integrated > Join OpenID Switzerland in order to increase the OpenID momentum > Enable your Internet Services to support OpenID or SAML !!! Geneva Application Security Forum 2010, March 4th 2010 Page 40
Demo > SAML-Login to Google Business Apps using AXSionics Fingerprint > SAML-Login to Salesforce.com using YubiKey OTP > OpenID login to local.ch using Swiss PostZertifikat > Online Identity Administration (Clavid Portal) Geneva Application Security Forum 2010, March 4th 2010 Page 41
Questions & Answers Geneva Application Security Forum 2010, March 4th 2010 Page 42
Contact Information Geneva Application Security Forum 2010, March 4th 2010 Page 43

Recomendados

An Introduction to OpenID
An Introduction to OpenIDAn Introduction to OpenID
An Introduction to OpenID
Max Manders
 
OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11
Nov Matake
 
Dependency injection
Dependency injectionDependency injection
Dependency injection
Chester Hartin
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)
Torsten Lodderstedt
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
FIDO Alliance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Sylvain Maret
 
Renaissance Pki Maret
Renaissance Pki MaretRenaissance Pki Maret
Renaissance Pki Maret
Sylvain Maret
 
La Citadelle Electronique
La Citadelle ElectroniqueLa Citadelle Electronique
La Citadelle Electronique
Sylvain Maret
 

Recomendados

An Introduction to OpenID
An Introduction to OpenIDAn Introduction to OpenID
An Introduction to OpenID
Max Manders
 
OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11
Nov Matake
 
Dependency injection
Dependency injectionDependency injection
Dependency injection
Chester Hartin
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)
Torsten Lodderstedt
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
FIDO Alliance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Sylvain Maret
 
Renaissance Pki Maret
Renaissance Pki MaretRenaissance Pki Maret
Renaissance Pki Maret
Sylvain Maret
 
La Citadelle Electronique
La Citadelle ElectroniqueLa Citadelle Electronique
La Citadelle Electronique
Sylvain Maret
 
Renaissance PKI / Séminaire Clusis 2003
Renaissance PKI / Séminaire Clusis 2003Renaissance PKI / Séminaire Clusis 2003
Renaissance PKI / Séminaire Clusis 2003
Sylvain Maret
 
Les Firewalls
Les FirewallsLes Firewalls
Les Firewalls
Sylvain Maret
 
Strong Authentication with PKI
Strong Authentication with PKIStrong Authentication with PKI
Strong Authentication with PKI
Sylvain Maret
 
Quelle technologie pour les accès distants sécurisés ?
Quelle technologie pour les accès distants sécurisés ?Quelle technologie pour les accès distants sécurisés ?
Quelle technologie pour les accès distants sécurisés ?
Sylvain Maret
 
Strong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOStrong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSO
Sylvain Maret
 
Pki Training V1.5
Pki Training V1.5Pki Training V1.5
Pki Training V1.5
Sylvain Maret
 
Antivirus : une technologie obsolète?
Antivirus : une technologie obsolète?Antivirus : une technologie obsolète?
Antivirus : une technologie obsolète?
Sylvain Maret
 
Usurper une identité? Impossible avec la biométrie!
Usurper une identité? Impossible avec la biométrie!Usurper une identité? Impossible avec la biométrie!
Usurper une identité? Impossible avec la biométrie!
Sylvain Maret
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
INA Volume 1/3 Version 1.0 Released / Digital Identity and Authentication
INA Volume 1/3 Version 1.0 Released / Digital Identity and AuthenticationINA Volume 1/3 Version 1.0 Released / Digital Identity and Authentication
INA Volume 1/3 Version 1.0 Released / Digital Identity and Authentication
Sylvain Maret
 
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere génératione-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
Sylvain Maret
 
Comment concilier facilité d'utilisation et securite?
Comment concilier facilité d'utilisation et securite?Comment concilier facilité d'utilisation et securite?
Comment concilier facilité d'utilisation et securite?
Sylvain Maret
 
OpenID et Facebook
OpenID et FacebookOpenID et Facebook
OpenID et Facebook
Sylvain Maret
 
Geneva Application Security Forum 2010
Geneva Application Security Forum 2010Geneva Application Security Forum 2010
Geneva Application Security Forum 2010
Sylvain Maret
 
Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011
Sylvain Maret
 
Retour d'expérience sur le déploiement de biométrie à grande échelle
Retour d'expérience sur le déploiement de biométrie à grande échelleRetour d'expérience sur le déploiement de biométrie à grande échelle
Retour d'expérience sur le déploiement de biométrie à grande échelle
Sylvain Maret
 
Politique de sécurité
Politique de sécuritéPolitique de sécurité
Politique de sécurité
Sylvain Maret
 
Etude de cas Biométrie
Etude de cas BiométrieEtude de cas Biométrie
Etude de cas Biométrie
Sylvain Maret
 
INA Volume 1/3 Version 1.02 Released / Digital Identity and Authentication
INA Volume 1/3 Version 1.02 Released / Digital Identity and AuthenticationINA Volume 1/3 Version 1.02 Released / Digital Identity and Authentication
INA Volume 1/3 Version 1.02 Released / Digital Identity and Authentication
Sylvain Maret
 
Etude Cas Skyguide RSA mobile
Etude Cas Skyguide RSA mobileEtude Cas Skyguide RSA mobile
Etude Cas Skyguide RSA mobile
Sylvain Maret
 
Review on OpenID Authentication Framework
Review on OpenID Authentication FrameworkReview on OpenID Authentication Framework
Review on OpenID Authentication Framework
ijsrd.com
 
OpenID Tutorials
OpenID TutorialsOpenID Tutorials
OpenID Tutorials
Nao Haida
 

Mais conteúdo relacionado

Destaque

Renaissance PKI / Séminaire Clusis 2003
Renaissance PKI / Séminaire Clusis 2003Renaissance PKI / Séminaire Clusis 2003
Renaissance PKI / Séminaire Clusis 2003
Sylvain Maret
 
Strong Authentication with PKI
Strong Authentication with PKIStrong Authentication with PKI
Strong Authentication with PKI
Sylvain Maret
 
Quelle technologie pour les accès distants sécurisés ?
Quelle technologie pour les accès distants sécurisés ?Quelle technologie pour les accès distants sécurisés ?
Quelle technologie pour les accès distants sécurisés ?
Sylvain Maret
 
Strong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOStrong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSO
Sylvain Maret
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
Politique de sécurité
Politique de sécuritéPolitique de sécurité
Politique de sécurité
Sylvain Maret
 

Destaque (20)

Renaissance PKI / Séminaire Clusis 2003
Renaissance PKI / Séminaire Clusis 2003Renaissance PKI / Séminaire Clusis 2003
Renaissance PKI / Séminaire Clusis 2003
 
Les Firewalls
Les FirewallsLes Firewalls
Les Firewalls
 
Strong Authentication with PKI
Strong Authentication with PKIStrong Authentication with PKI
Strong Authentication with PKI
 
Quelle technologie pour les accès distants sécurisés ?
Quelle technologie pour les accès distants sécurisés ?Quelle technologie pour les accès distants sécurisés ?
Quelle technologie pour les accès distants sécurisés ?
 
Strong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOStrong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSO
 
Pki Training V1.5
Pki Training V1.5Pki Training V1.5
Pki Training V1.5
 
Antivirus : une technologie obsolète?
Antivirus : une technologie obsolète?Antivirus : une technologie obsolète?
Antivirus : une technologie obsolète?
 
Usurper une identité? Impossible avec la biométrie!
Usurper une identité? Impossible avec la biométrie!Usurper une identité? Impossible avec la biométrie!
Usurper une identité? Impossible avec la biométrie!
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...
 
INA Volume 1/3 Version 1.0 Released / Digital Identity and Authentication
INA Volume 1/3 Version 1.0 Released / Digital Identity and AuthenticationINA Volume 1/3 Version 1.0 Released / Digital Identity and Authentication
INA Volume 1/3 Version 1.0 Released / Digital Identity and Authentication
 
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere génératione-Xpert Gate / Reverse Proxy - WAF 1ere génération
e-Xpert Gate / Reverse Proxy - WAF 1ere génération
 
Comment concilier facilité d'utilisation et securite?
Comment concilier facilité d'utilisation et securite?Comment concilier facilité d'utilisation et securite?
Comment concilier facilité d'utilisation et securite?
 
OpenID et Facebook
OpenID et FacebookOpenID et Facebook
OpenID et Facebook
 
Geneva Application Security Forum 2010
Geneva Application Security Forum 2010Geneva Application Security Forum 2010
Geneva Application Security Forum 2010
 
Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011
 
Retour d'expérience sur le déploiement de biométrie à grande échelle
Retour d'expérience sur le déploiement de biométrie à grande échelleRetour d'expérience sur le déploiement de biométrie à grande échelle
Retour d'expérience sur le déploiement de biométrie à grande échelle
 
Politique de sécurité
Politique de sécuritéPolitique de sécurité
Politique de sécurité
 
Etude de cas Biométrie
Etude de cas BiométrieEtude de cas Biométrie
Etude de cas Biométrie
 
INA Volume 1/3 Version 1.02 Released / Digital Identity and Authentication
INA Volume 1/3 Version 1.02 Released / Digital Identity and AuthenticationINA Volume 1/3 Version 1.02 Released / Digital Identity and Authentication
INA Volume 1/3 Version 1.02 Released / Digital Identity and Authentication
 
Etude Cas Skyguide RSA mobile
Etude Cas Skyguide RSA mobileEtude Cas Skyguide RSA mobile
Etude Cas Skyguide RSA mobile
 

Semelhante a Geneva Application Security Forum: Vers une authentification plus forte dans les applications web"

OpenID Tutorials
OpenID TutorialsOpenID Tutorials
OpenID Tutorials
Nao Haida
 
Practical Federated Identity
Practical Federated Identity Practical Federated Identity
Practical Federated Identity
WSO2
 
FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
Roger CARHUATOCTO
 

Semelhante a Geneva Application Security Forum: Vers une authentification plus forte dans les applications web" (20)

Review on OpenID Authentication Framework
Review on OpenID Authentication FrameworkReview on OpenID Authentication Framework
Review on OpenID Authentication Framework
 
OpenID Tutorials
OpenID TutorialsOpenID Tutorials
OpenID Tutorials
 
OpenID and OAuth
OpenID and OAuthOpenID and OAuth
OpenID and OAuth
 
Implementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking SiteImplementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking Site
 
Openid+Opensocial
Openid+OpensocialOpenid+Opensocial
Openid+Opensocial
 
Securing your digital identity with drupal
Securing your digital identity with drupalSecuring your digital identity with drupal
Securing your digital identity with drupal
 
OpenID Progress EEMA Conference
OpenID Progress EEMA ConferenceOpenID Progress EEMA Conference
OpenID Progress EEMA Conference
 
Mozilla BrowserID/Persona (2012 MDN Hack Day LDN)
Mozilla BrowserID/Persona (2012 MDN Hack Day LDN)Mozilla BrowserID/Persona (2012 MDN Hack Day LDN)
Mozilla BrowserID/Persona (2012 MDN Hack Day LDN)
 
OpenID and decentralised social networks
OpenID and decentralised social networksOpenID and decentralised social networks
OpenID and decentralised social networks
 
Practical Federated Identity
Practical Federated Identity Practical Federated Identity
Practical Federated Identity
 
Open ID
Open IDOpen ID
Open ID
 
Implementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 PresentationImplementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 Presentation
 
FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016
 
Lecture 20101124
Lecture 20101124Lecture 20101124
Lecture 20101124
 
OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
 
Authenticator and provisioning connector in wso2 is
Authenticator and provisioning connector in wso2 isAuthenticator and provisioning connector in wso2 is
Authenticator and provisioning connector in wso2 is
 
Authenticator and provisioning connector in wso2 Identity Server
Authenticator and provisioning connector in wso2 Identity ServerAuthenticator and provisioning connector in wso2 Identity Server
Authenticator and provisioning connector in wso2 Identity Server
 

Mais de Sylvain Maret

Air Navigation Service Providers - Unsecurity on Voice over IP Radion
Air Navigation Service Providers - Unsecurity on Voice over IP RadionAir Navigation Service Providers - Unsecurity on Voice over IP Radion
Air Navigation Service Providers - Unsecurity on Voice over IP Radion
Sylvain Maret
 
factsheet_4g_critical_comm_en_vl
factsheet_4g_critical_comm_en_vlfactsheet_4g_critical_comm_en_vl
factsheet_4g_critical_comm_en_vl
Sylvain Maret
 
Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012
Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012
Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012
Sylvain Maret
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Sylvain Maret
 
Corrélation d'évènements dans un environnement VoIP avec ExaProtect
Corrélation d'évènements dans un environnement VoIP avec ExaProtectCorrélation d'évènements dans un environnement VoIP avec ExaProtect
Corrélation d'évènements dans un environnement VoIP avec ExaProtect
Sylvain Maret
 
Phishing Facebook Attack
Phishing Facebook AttackPhishing Facebook Attack
Phishing Facebook Attack
Sylvain Maret
 

Mais de Sylvain Maret (20)

Air Navigation Service Providers - Unsecurity on Voice over IP Radion
Air Navigation Service Providers - Unsecurity on Voice over IP RadionAir Navigation Service Providers - Unsecurity on Voice over IP Radion
Air Navigation Service Providers - Unsecurity on Voice over IP Radion
 
factsheet_4g_critical_comm_en_vl
factsheet_4g_critical_comm_en_vlfactsheet_4g_critical_comm_en_vl
factsheet_4g_critical_comm_en_vl
 
INA Volume 1/3 Version 1.0 RC / Digital Identity and Authentication
INA Volume 1/3 Version 1.0 RC / Digital Identity and AuthenticationINA Volume 1/3 Version 1.0 RC / Digital Identity and Authentication
INA Volume 1/3 Version 1.0 RC / Digital Identity and Authentication
 
Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012
Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012
Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012
 
ASFWS 2012 / Initiation à la sécurité des Web Services par Sylvain Maret
ASFWS 2012 / Initiation à la sécurité des Web Services par Sylvain MaretASFWS 2012 / Initiation à la sécurité des Web Services par Sylvain Maret
ASFWS 2012 / Initiation à la sécurité des Web Services par Sylvain Maret
 
Threat Modeling / iPad
Threat Modeling / iPadThreat Modeling / iPad
Threat Modeling / iPad
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
 
Strong Authentication in Web Applications: State of the Art 2011
Strong Authentication in Web Applications: State of the Art 2011Strong Authentication in Web Applications: State of the Art 2011
Strong Authentication in Web Applications: State of the Art 2011
 
Final conclusions of Working Group 3 at Workshop Münchenwiler 20-21 of May 20...
Final conclusions of Working Group 3 at Workshop Münchenwiler 20-21 of May 20...Final conclusions of Working Group 3 at Workshop Münchenwiler 20-21 of May 20...
Final conclusions of Working Group 3 at Workshop Münchenwiler 20-21 of May 20...
 
Comment protéger de façon efficace son/ses identité(s) numérique(s) sur le We...
Comment protéger de façon efficace son/ses identité(s) numérique(s) sur le We...Comment protéger de façon efficace son/ses identité(s) numérique(s) sur le We...
Comment protéger de façon efficace son/ses identité(s) numérique(s) sur le We...
 
Digital identity trust & confidence
Digital identity trust & confidenceDigital identity trust & confidence
Digital identity trust & confidence
 
Implementation of a Biometric Solution Providing Strong Authentication To Gai...
Implementation of a Biometric Solution Providing Strong Authentication To Gai...Implementation of a Biometric Solution Providing Strong Authentication To Gai...
Implementation of a Biometric Solution Providing Strong Authentication To Gai...
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...Geneva Application Security Forum: Vers une authentification plus forte dans ...
Geneva Application Security Forum: Vers une authentification plus forte dans ...
 
Corrélation d'évènements dans un environnement VoIP avec ExaProtect
Corrélation d'évènements dans un environnement VoIP avec ExaProtectCorrélation d'évènements dans un environnement VoIP avec ExaProtect
Corrélation d'évènements dans un environnement VoIP avec ExaProtect
 
Protection Des Données avec la Biométrie Match On Card
Protection Des Données avec la Biométrie Match On CardProtection Des Données avec la Biométrie Match On Card
Protection Des Données avec la Biométrie Match On Card
 
Phishing Facebook Attack
Phishing Facebook AttackPhishing Facebook Attack
Phishing Facebook Attack
 
Biométrie et Mobilité
Biométrie et MobilitéBiométrie et Mobilité
Biométrie et Mobilité
 
Comment Sécurisé son Identité Numérique
Comment Sécurisé son Identité NumériqueComment Sécurisé son Identité Numérique
Comment Sécurisé son Identité Numérique
 
Cours Authentication Manager RSA
Cours Authentication Manager RSACours Authentication Manager RSA
Cours Authentication Manager RSA
 

Geneva Application Security Forum: Vers une authentification plus forte dans les applications web"

  • 1. OpenID & SAML, OpenID & SAML OpenID & SAML, SAML OpenID & Identity Federation, SuisseID Identity Federation, SuisseID Strong Authentication ServiceZukunft StrongSign-On Konzepte mit Single Authentication Service Single-Sign-on Concepts with Future & Geneva Application Security Forum 2010 March 4th 2010 Robert Ott, Master of Science (Honors), CFO Robert Ott Fredi Weideli, Master of Computer Science, CTO clavidOpenID Representative Switzerland - ag, Zug 5180 CFO, Clavid AG, Switzerland -
  • 2. Agenda • SECTION 1 OpenID - What is it? How does it work? Integration? • SECTION 2 SAML - What is it? How does it work? • SECTION 3 Identity Federation • SECTION 4 A Word on SuisseID • SECTION 5 Strong Authentication as a Service • SECTION 6 Further Links / Conclusion / Q&A Geneva Application Security Forum 2010, March 4th 2010 Page 2
  • 3. SECTION 1 SECTION 1 OpenID > What is it? > How does it work? > How to integrate? Geneva Application Security Forum 2010, March 4th 2010 Page 3
  • 4. OpenID - What is it? > Internet SingleSignOn > Free Choice of Identity Provider > Relatively Simple Protocol > No License Fee > User-Centric Identity Management > Independent of Identification Methods > Internet Scalable > Non-Profit Organization Geneva Application Security Forum 2010, March 4th 2010 Page 4
  • 5. OpenID - How does it work? User Hans Muster (Domain: www.iid.ch) AUTHENTICATION Identity Provider e.g. clavid.ch hans.muster.iid.ch Identity URL OpenID=hans.muster.iid.ch e.g. hans.muster.iid.ch Enabled Service Geneva Application Security Forum 2010, March 4th 2010 Page 5
  • 6. OpenID - How does it work? User Hans Muster 3 4, 4a Identity Provider e.g. clavid.com hans.muster.clavid.com 5 6 1 2 Identity URL Caption https://hans.muster.clavid.com 1. User enters OpenID 2. Discovery 3. Authentication 4. Approval 4a. Change Attributes 5. Send Attributes 6. Validation Enabled Service Geneva Application Security Forum 2010, March 4th 2010 Page 6
  • 7. OpenID - How does it work? Step 1: A user decides to use a personalized Internet Service supporting OpenID (e.g. local.ch). The user clicks on „Login using OpenID“ and enters its OpenID (e.g. hans.muster.iid.ch). Step 2: The requested Internet Service converts the OpenID into an URL (http://hans.muster.iid.ch) and requests this URL in order to receive the Identity Provider of the user. Step 2a: In this example, the user has delegated its OpenID to the Identity Provider clavid.ch. Step 3: The Identity Provider provides possible authentication methods for that specific user (in this case “Password”). Having successfully authenticated, the next step (approval) is initiated. Step 4: The user decides on the values of the requested attributes to be provided to the Internet Service. The Identity Provider usually provides user specific Personas (attribute templates) to assist the user in this approval process. Step 4a: At this point, the user may decide to change attribute values and store them on the Identity Provider for future approvals for that specific service. Thus, a user can automate future approvals for specific Internet Services. Step 5, 6: The attribute values are then signed and communicated from the Identity Provider to the Internet Service. The Internet Service validates the signature of the provided attributes and finally accepts the user to be authenticated. Geneva Application Security Forum 2010, March 4th 2010 Page 7
  • 8. OpenID - How does it work? Geneva Application Security Forum 2010, March 4th 2010 Page 8
  • 9. OpenID - How does it work? Geneva Application Security Forum 2010, March 4th 2010 Page 9
  • 10. OpenID - User Centric Identity Management TOMORROW ? FUTURE ? TODAY OpenID Provider Username Username Password Password Username Username Password Password Geneva Application Security Forum 2010, March 4th 2010 Page 10
  • 11. OpenID - How to Integrate? Assumptions concerning your current Site • Users sign in with their username and password • There is a form, where new users have to register • Each user is identified by a unique ID in your database • A settings page let users manage their account info Recipe • Extend the database to map the OpenIDs to the user IDs • Extend the registration page with an OpenID input field • Extend the sign in page with an OpenID input field • Extend the settings page to attach and detach openIDs Geneva Application Security Forum 2010, March 4th 2010 Page 11
  • 12. OpenID - How to Integrate? Ingredients • A OpenID Consumer Library • The Standard OpenID Logos • An OpenID Provider to test your site with Geneva Application Security Forum 2010, March 4th 2010 Page 12
  • 13. OpenID - How to Integrate? OpenID Libraries Language Library C# DotNetOpenId, ExtremeSwank C++ Libopkele Java NetMesh InfoGrid LID, OpenID4Java, joid Perl Net::OpenID, OpenID4Perl Python JanRain Ruby JanRain, Heraldry PHP Jan Rain, Zend Framework OpenID Component, Saeven.net's JanRain Service Utility Class, Taral, Simple Class, sfOpenIDPlugin, CakePHP, EasyOpenID, OpenID For PHP, AuthOpenID Snippet Coldfusion CFKit OpenID, CFOpenID, OpenID CFC Apache 2 mod_auth_openid Geneva Application Security Forum 2010, March 4th 2010 Page 13
  • 14. SECTION 2 SECTION 2 SAML >What is it? >How does it work? Geneva Application Security Forum 2010, March 4th 2010 Page 14
  • 15. SAML – What is it? SAML (Security Assertion Markup Language): > Defined by the Oasis Group > Well and Academically Designed Specification > Uses XML Syntax > Used for Authentication & Authorization > SAML Assertions > Statements: Authentication, Attribute, Authorization > SAML Protocols > Queries: Authentication, Artifact, Name Identifier Mapping, etc. > SAML Bindings > SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact > SAML Profiles > Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query / Request Profile, Attribute Profile Geneva Application Security Forum 2010, March 4th 2010 Page 15
  • 16. SAML – How does it work? User Hans Muster AUTHENTICATION Redirect with Identity Provider <Response> Redirect with e.g. clavid.ch (signed Assertion) <AuthnRequest> Access Resource Enabled Service e.g. Google Apps for Business Geneva Application Security Forum 2010, March 4th 2010 Page 16
  • 17. SAML – How does it work? User Hans Muster 3 2 4 Identity Provider e.g. clavid.ch 4 2 1 6 Enabled Service e.g. Google Apps for Business Geneva Application Security Forum 2010, March 4th 2010 Page 17
  • 18. SAML – How does it work? Step 1: A user decides to use a personalized Internet Service connected to a SAML based Identity provider (e.g. Google Business Application Calendar). Step 2: The Internet Service recognizes that the user is not logged in yet. A SAML <AuthnRequest> is created and sent via redirect to the Identity Provider. Step 3: The Identity Provider provides possible authentication methods for that specific user (in this case “YubiKey” OTP). Having successfully authenticated, the next step is initiated. Step 4: The Identity Provider creates a SAML <Response> containing the user’s identifier for the specific target application. Then it signs the SAML <Response> and sends it via a Post- Redirect to the Internet Services (e.g. Google Calendar) Step 5: The Internet Service (e.g. Google Apps) verifies the signature of the SAML <Response> and now knows the user’s identifier provided by the Identity Provider. Step 6: The Internet Service can now be used by the user. Geneva Application Security Forum 2010, March 4th 2010 Page 18
  • 19. SAML – How does it work? 1) Call Application URL 3) Application Usage 2) Login Geneva Application Security Forum 2010, March 4th 2010 Page 19
  • 20. SECTION 3 SECTION 3 Identity Federation Geneva Application Security Forum 2010, March 4th 2010 Page 20
  • 21. B2B Identity Federation - The Protocol Problem Company A Intranet Internet Service A Travel Proprietary Token Ticket Shop https Internet Service B OpenID Document Management SAML 1.0 Internet Service C Personal Recruting SAML 2.0 SaaS Applications Geneva Application Security Forum 2010, March 4th 2010 Page 21
  • 22. B2B Identity Federation - The Protocol Mess Company A Intranet Internet Service A Proprietary Token OpenID Travel Ticket Shop SAML 1.0 https Internet Service B SAML 2.0 Company B Document Management Intranet Proprietary Token OpenID Internet Service C SAML 1.0 Personal https SAML 2.0 Recruting Company C Proprietary Token SaaS Applications Intranet OpenID SAML 1.0 https SAML 2.0 Geneva Application Security Forum 2010, March 4th 2010 Page 22
  • 23. B2B Identity Federation - The Protocol Solution Company A Intranet Internet Service A Travel Ticket Shop https Internet Service B Internet Identity Provider Proprietary Token Company B Proprietary Token Document Identity Mapping Management Intranet OpenID One Time Passw. (OTP) Internet SSO Internet Service C Biometric (AXSioncs) Mobile Phone (SMS) eID (Identity Card) OpenID SAML 1.0 Personal https SSL Certificates Recruting Internet SSO Company C SAML 2.0 SAML 2.0 SaaS Applications https Intranet https Geneva Application Security Forum 2010, March 4th 2010 Page 23
  • 24. B2B Identity Federation - The Protocol Solution Company A Company B Intranet Intranet https https Internet Identity Provider Proprietary Token SAML 1.0 Company C Identity Federation Intranet One Time Passw. (OTP) Internet SSO Internet SSO Biometric (AXSioncs) Mobile Phone (SMS) eID (Identity Card) SAML 2.0 https SSL Certificates https https Geneva Application Security Forum 2010, March 4th 2010 Page 24
  • 25. SECTION 4 SECTION 4 A Word on SuisseID Geneva Application Security Forum 2010, March 4th 2010 Page 25
  • 26. A Word On SuisseID • SuisseID is currently in Early Draft Specification Phase • SuisseID should be available for public in spring 2010 • SuisseID cost will be refunded by the Government in 2010 • SuisseID will most probably be: – A signature certificate – An authentication certificate – All certificates conform to ZertES – Certificates contain a unique SuisseID number – An Identity Provider Services for attribute exchange • Eligible SuisseID certificate service providers will be: – Swiss Post (SwissSign), Swisscom, QuiVadis, Swiss Government Geneva Application Security Forum 2010, March 4th 2010 Page 26
  • 27. A Word On SuisseID Geneva Application Security Forum 2010, March 4th 2010 Page 27
  • 28. SECTION 5 SECTION 5 Strong Authentication as a Service Geneva Application Security Forum 2010, March 4th 2010 Page 28
  • 29. OpenID - International Identity Providers Username/Password Certificates Biometric OTP Geneva Application Security Forum 2010, March 4th 2010 Page 29
  • 30. Clavid Portal for Strong Authentication Geneva Application Security Forum 2010, March 4th 2010 Page 30
  • 31. Clavid Portal - AXSionics Geneva Application Security Forum 2010, March 4th 2010 Page 31
  • 32. Clavid Portal - Yubikey Geneva Application Security Forum 2010, March 4th 2010 Page 32
  • 33. Clavid Portal - Certificates Geneva Application Security Forum 2010, March 4th 2010 Page 33
  • 34. Clavid Portal - One Time Password OTP Methods: • OATH HOTP (RFC4226) • Challenge/Response (RFC2289) • Mobile OTP (OpenSource Project) • SMS • ... others ... Geneva Application Security Forum 2010, March 4th 2010 Page 34
  • 35. Clavid Portal - Personas Geneva Application Security Forum 2010, March 4th 2010 Page 35
  • 36. Clavid Portal - Login Settings Geneva Application Security Forum 2010, March 4th 2010 Page 36
  • 37. Clavid Login Dialog Geneva Application Security Forum 2010, March 4th 2010 Page 37
  • 38. SECTION 6 SECTION 6 Conclusion >Further References >Questions & Answers >Contact Information Geneva Application Security Forum 2010, March 4th 2010 Page 38
  • 39. Further Links: on OpenID OpenID Identity Providers can be found at: > http://en.wikipedia.org/wiki/OpenID > http://en.wikipedia.org/wiki/List_of_OpenID_providers > http://www.openiddirectory.com/openid-providers-c-1.html > http://www.clavid.com/ (Strong Authentication in Europe) Geneva Application Security Forum 2010, March 4th 2010 Page 39
  • 40. Conclusion > OpenID: An open, well documented specification allowing Internet Single Sign-On (SSO) for individual “Public Services” (B2C) > SAML: Trust based Internet and Intranet Single Sign-On for Business Services (B2B) > Professional Identity Providers already in place > User Centric Identity Management already integrated > Join OpenID Switzerland in order to increase the OpenID momentum > Enable your Internet Services to support OpenID or SAML !!! Geneva Application Security Forum 2010, March 4th 2010 Page 40
  • 41. Demo > SAML-Login to Google Business Apps using AXSionics Fingerprint > SAML-Login to Salesforce.com using YubiKey OTP > OpenID login to local.ch using Swiss PostZertifikat > Online Identity Administration (Clavid Portal) Geneva Application Security Forum 2010, March 4th 2010 Page 41
  • 42. Questions & Answers Geneva Application Security Forum 2010, March 4th 2010 Page 42
  • 43. Contact Information Geneva Application Security Forum 2010, March 4th 2010 Page 43