We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAlfred Brown
Modified about 1 year ago
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
2 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Overview Integration into enterprise I&AM Identity & Access Management Frameworks Liberty Alliance ID-FF / SAML 2.0 Liberty Alliance ID-WSF Microsoft InfoCard Open Standards SAML 2.0 XML Signature WS-Security WS-Trust Authentication Credentica implementations
3 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Integration into enterprise I&AM
4 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential DC-enabling a legacy I&AM application WWWWWW AS IdS Internal RPs External RPs Federated RPs Credentica servers CIPS CIVSCAAS Token validation module Client Component X.509 Kerberos LDAP
5 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Identity & Access Management Frameworks
6 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Liberty Alliance ID-FF / SAML 2.0 DC used only to authenticate with IdP DC used for proactive SSO with SPs DC used for unlinkable authentication with IdP SPaSPb IdP User
7 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Liberty Alliance ID-WSF DC-based security mechanism for all message exchanges LUAD can manage authentication and attribute delivery “Certified” Data Service Authority issues DCs to Data Service during Create/Update Data Service uses DCs to prove Query results to requestors Data Service may be hosted on User device Note: we are addressing requirements together with Liberty Alliance TEG (we are a member)
8 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Microsoft “InfoCard” IC Issuer provides ic:InfoCard and DCs to User User device proves required claims to Relying Parties IC Issuer is out of the loop Note: we are currently exploring tight integration into InfoCard with Microsoft
9 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Open Standards
10 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential SAML 2.0 Profiles of usage patterns involving multiple parties Bindings of their messages to specific communications mechanisms Protocols that define the messages themselves An Assertion format that conveys Statements about a Subject from an Issuer
11 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential SAML Assertion May contain any number of Statements relating to An authentication event Some attributes An authorization decision Or any other app-specific information May contain usage Conditions and Advice May be signed by its issuer...which may create a digital wake
12 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential DC-based SAML Assertion Subject can construct a SAML Assertion with: Statements derived from certified attributes Digital Credential public key Issuer's signature DC proof of Statements Relying party verifies DC proof No more digital wake
13 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential XML Signature Holds a SignatureValue made using a key described by KeyInfo and computed using some SignatureMethod over a canonicalized SignedInfo holding one or more Reference elements that refer to...and hold digests of any data
14 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential DC-based XML Signature KeyInfo can contain or refer to a DC public key New SignatureMethod Algorithm URI for DC-based signature
15 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential WS-Security Provides security services for SOAP "Security tokens" in SOAP headers provide Message integrity Message confidentiality Digital Credential integrity protection using: DC-based SAML Assertion security token DC-based XML Signature over message
16 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential WS-Trust Defines a Security Token Service Exchanges one kind of token for another Issuance binding to issue Digital Credentials Validation binding to verify DC showings
17 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Authentication
18 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Authentication at different layers Network Layer No changes required for applications DC used by VPN clients ISAKMP for IPsec Transport Layer May require changes to applications, but only to plumbing DC used by application clients TLS cert_type hello extension Application Layer Requires localized changes to applications SPKM for GSS-API – Integration into CORBAsec, GSS-API users, and SASL users Liberty Alliance SAEG TMa spec (“iClient” originating from Intel)
19 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Credentica implementations
20 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Implementations Now: Java Servlets for DC issuance and verification Nokia S60 Browser “filter” for DC issuance and use Java Applet for DC issuance and use Mozilla Firefox Extension (experimental) Future Possibilities: Internet Explorer Browser Helper Object Windows SSP/AP for local and network logon Authentication Modules for major I&AM suites – Sun Java System Access Manager – HP OpenView Select Access – Etc…
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Web Services Security INFOSYS 290, Section 3 Web Services: Concepts, Design and Implementation Adam Blum
A Web service is a method of communication between two electronic devices over World Wide Web.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
Web Service Security CS409 Application Services Even Semester 2007.
January 19, 2005 Andrew Nash Chief Technology Officer, Reactivity xmlCoP Interoperable Trust Networks.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Security Assertion Markup Language (SAML) Interoperability Demonstration.
1 ID-WSF Basics Preparation for External Submission of ID-WSF components.
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
SAML An XML based Security Assertion Markup Language.
W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.
Workshop Presentation  Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.
Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.
17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.
Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.
WEB SERVICES SECURITY Prashanth Kumar Muthoju. Agenda Web Services Web Services Security Examples WSE 2.0 DEMO Q & A.
Web services security I Uyen Dang & Michel Foé. Agenda Context – Architectural considerations of security issues in WS – Security threats in Web services.
Will Darby April What is Federated Security Security Assertion Markup Language (SAML) Overview Example Implementations Alternative.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.
OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
WS-Trust Joseph Calandrino Vincent Noël Department of Computer Science University of Virginia February 9, 2004.
WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
Government Online – White Paper Companion – Copyright © 2007 Credentica Inc. All Rights Reserved. This presentation is animated. Press the “space bar”
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Microsoft ® Official Course Module 10 Implementing and Administering AD FS.
Introduction to Implementing XML web services authentication John Messing Law-on-Line, Inc. Prepared for Maricopa County ICJIS May 17, 2006.
Single Sign-On https://store.theartofservice.com/the-single-sign-on-toolkit.html.
SAML in Authorization Policies draft-guenther-geopriv-saml-policy-01.
Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.
© 2017 SlidePlayer.com Inc. All rights reserved.