O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

TrustBearer - Virginia Security Summit - Web Authentication Strategies - April 2009

4.516 visualizações

Publicada em

TrustBearer's Brian Kelly gave this presentation during the Identity Management track at the Virginia Security Summit in Richmond, VA. It compares SAML to OpenID and explains how different authentication methods can be used with either of these Single Sign On standards.

Publicada em: Tecnologia
  • Follow the link, new dating source: ♥♥♥ http://bit.ly/369VOVb ♥♥♥
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui
  • Good insight and recommendations
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui

TrustBearer - Virginia Security Summit - Web Authentication Strategies - April 2009

  1. 1. Web Authentication Strategies Virginia Security Summit Identity Management April 27, 2009 Brian Kelly Vice President TrustBearer Labs a partner company of VeriSign, Inc.
  2. 2. Simplify Techniques and technology that can be leveraged to make managing user accounts easier and more secure SAML 2
  3. 3. Know your users Employees Citizens • 1,000+ • 100,000+ • Identity vetted • Internet-based identity • Bulk-provisioning • On-the-fly-provisioning (with official email) (with Internet email) • IT staff to handle • Automated support support requests requests 3
  4. 4. Identity vetting • Employee identities are vetted in advance, in-person • Citizens may need vetting, depending on services accessed, but in-person vetting is rarely available 4
  5. 5. Account Provisioning • Employees are typically assigned an email address, network account, and temporary password after hire. ‣ Then (some) applications are provisioned • Citizens typically request an account after proving their identity (e.g. driver’s license number & date of birth) ‣ Then username & password are created, and (one) application is provisioned. 5
  6. 6. Support • Help desk staff to support employee requests (e.g. password reset, new application access) • Citizen requests may be of much higher volume, which require more automated support options 6
  7. 7. Making it easier 7
  8. 8. Employee Web Apps • Use a single SAML Identity Provider Make web apps SAML consumers • Provision all apps using SAML user IDs • Employee authenticates in once place and gets access to all provisioned applications • Account support is centralized • Can still use OTP, smart card, or password (more on that later) 8
  9. 9. How does SAML work? verifies signed assertions User is logged-in creates signed App 1 to web app Login Web Page assertions user SAML ID App 2 user Provider user authenticates users App 3 Other SAML Service Providers LDAP (consumers) Auth. 9
  10. 10. Citizen Web Apps • Make web apps OpenID Relying Parties and stop managing usernames & passwords • Use existing ID vetting process or outsource • Add an Extended Validation SSL certificate • Citizen gets to reuse existing credentials • Can still use OTP, smart card, or password • Account support is partially outsourced 10
  11. 11. How does OpenID work? Citizen Web App Web app Citizen is logged-in Page Login verifies previously to web app user enrolled OpenID Citizen user Web App OpenID user Relying Party (consumer) Citizen identity vetting could take place during OpenID enrollment stage. User authenticates to IDP and enables account to be used with government site 11
  12. 12. SAML • Consumer focused • Enterprise focused • On-the-fly-provisioning • Bulk-provisioning (on-the-fly supported) • Many identity providers • Identity Provider is available online for internal to consumers to choose organization (typically) • Mostly open-source, • Commercial and OS and COTS services products available 12
  13. 13. What about authentication options? 13
  14. 14. End-point authentication is agnostic of SSO standard All can be supported by SAML or OpenID • username / password • one time password (OTP) tokens • smart cards (e.g. PIV, CAC, FRAC) • client digital certificates • information cards • biometrics • image verification 14
  15. 15. Identity Provider decides end- point authentication options • Google,Yahoo, AOL: password • myOpenID: password, phone verify, client certificate, info card • VeriSign PIP: OTP, client certificate, info card, EV SSL • TrustBearer: smart cards (CAC, PIV, etc.), biometrics • Vidoop: Image recognition (CAPTCHA) The IdP can specify authentication methods used to the RP, which can even request preferences. 15
  16. 16. What authentication method to choose? 16
  17. 17. Required Protections for OMB’s E-Auth Assurance Levels Level 1 Level 2 Level 3 Level 4 Protect against ✓ ✓ ✓ ✓ On-line guessing Replay ✓ ✓ ✓ ✓ Eavesdropper ✓ ✓ ✓ Verifier impersonation ✓ ✓ ✓ Man-in-the-middle ✓ ✓ Session hijacking ✓ From NIST SP 800-63 p. 39 17
  18. 18. Token Types Allowed At Each Assurance Level Level 1 Level 2 Level 3 Level 4 Token Type ✓ ✓ ✓ ✓ Hard Crypto Token ✓ ✓ ✓ One-time password device ✓ ✓ ✓ Soft crypto token ✓ ✓ Passwords & PINs From NIST SP 800-63 p. 39 18
  19. 19. OpenID Provider Authentication Policy Extension (PAPE) • Provides a way for Relying Parties to request / view authentication policies of Identity Provider • Policies: Phishing-resistant, Multi-Factor, and Physical Multi-Factor • Preferred authentication levels e.g. NIST: 1, 2, 3, 4 SAML also allows authentication attributes to be added to a message 19
  20. 20. In summary • You have better options than managing usernames & passwords for every web app • SAML has strong enterprise support • OpenID is convenient for Internet users • There are many end-point authentication options for each SSO option. • Perform a risk-based analysis on your app to choose an authentication type 20
  21. 21. Thank you http://trustbearer.com http://www.verisign.com/authentication/ Brian Kelly brian.kelly@trustbearer.com twitter.com/TrustBearer Vice President TrustBearer Labs a partner company of VeriSign, Inc.