Keeping access control while moving to the cloud

Slides:



Advertisements
Similar presentations
1 IDX. 2 What you will learn: What IDX is Why its important How to use it Tips and tricks Introduction Q & A.
Advertisements

Using Matrices in Real Life
Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 1 Embedded Computing.
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
Slide 1 FastFacts Feature Presentation September 21, 2010 We are using audio during this session, so please dial in to our conference line… Phone number:
RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) Customer Supplier Customer authorizes Enrollment ( )
Document #07-2I RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) (mod 7/25 & clean-up 8/20) Customer Supplier.
1 Hyades Command Routing Message flow and data translation.
18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.
Copyright CompSci Resources LLC Web-Based XBRL Products from CompSci Resources LLC Virginia, USA. Presentation by: Colm Ó hÁonghusa.
Click to edit Master title style Page - 1 OneSky Teams Step-by-Step Online Corporate Communication Support 2006.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×
Exit a Customer Chapter 8. Exit a Customer 8-2 Objectives Perform exit summary process consisting of the following steps: Review service records Close.
Human Service Providers and Referrals Chapter 5. Human Service Providers and Referrals 5-2 Objectives Demonstrate the process for entering a Human Service.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Year 6 mental test 10 second questions
Server Access The REST of the Story David Cleary
Web Service Testing RESTful Web Services Snejina Lazarova Dimo Mitev
Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be.
Solve Multi-step Equations
REVIEW: Arthropod ID. 1. Name the subphylum. 2. Name the subphylum. 3. Name the order.
Week 2 The Object-Oriented Approach to Requirements
1 The phone in the cloud Utilizing resources hosted anywhere Claes Nilsson.
ABC Technology Project
© 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5,
1 ITSS This overview deck contains two sections. Please use the links below to navigate –How to Register for ITSS Application AccessHow to Register for.
VOORBLAD.
1 Welcome to SAPS Webmail. 2 Things we will learn about: 1. Login to mail.
IONA Technologies Position Paper Constraints and Capabilities for Web Services
Sample Service Screenshots Enterprise Cloud Service 11.3.
Factor P 16 8(8-5ab) 4(d² + 4) 3rs(2r – s) 15cd(1 + 2cd) 8(4a² + 3b²)
Squares and Square Root WALK. Solve each problem REVIEW:
Basel-ICU-Journal Challenge18/20/ Basel-ICU-Journal Challenge8/20/2014.
1..
31242/32549 Advanced Internet Programming Advanced Java Programming
© 2012 National Heart Foundation of Australia. Slide 2.
Understanding Generalist Practice, 5e, Kirst-Ashman/Hull
25 seconds left…...
Januar MDMDFSSMDMDFSSS
We will resume in: 25 Minutes.
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
12 January 2009SDS batch generation, distribution and web interface 1 ExESS IT tool for SDS batch generation, distribution and web interface ExESS IT tool.
Intracellular Compartments and Transport
PSSA Preparation.
VPN AND REMOTE ACCESS Mohammad S. Hasan 1 VPN and Remote Access.
Essential Cell Biology
- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)
Presenter: James Huang Date: Sept. 29,  HTTP and WWW  Bottle Web Framework  Request Routing  Sending Static Files  Handling HTML  HTTP Errors.
Profile. 1.Open an Internet web browser and type into the web browser address bar. 2.You will see a web page similar to the one on.
Introduction Peter Dolog dolog [at] cs [dot] aau [dot] dk Intelligent Web and Information Systems September 9, 2010.
User Security for e-Post Applications Dr Chandana Gamage University of Moratuwa.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
SWITCHaai Team Introduction to Shibboleth.
WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.
Access Policy - Federation March 23, 2016
API (Application Program Interface)
Federation made simple
Presentation transcript:

Keeping access control while moving to the cloud Password Reuse webcomic: https://xkcd.com/792/ Required reading Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph

Keeping access control while moving to the cloud Presented by Zdenek Nejedly Computing & Communications Services University of Guelph

Objectives Intro: University of Guelph mail migration Review: Access Management in the Cloud Conclusion: Solutions and Lessons Learned Computing & Communications Services www.uoguelph.ca/ccs

University of Guelph mail migration Can Access management help ? Computing & Communications Services www.uoguelph.ca/ccs

Migration project highlights Migrating 36k undergraduate students Production Sep 1, 2014 Expanding from one to two mail systems Google Apps for Education Zimbra Collaboration Suite University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

Migration project challenges User: two mail systems - am I on Google or Zimbra? Or both? University: policy confirmation before authorizing access to the service - how can we serve it to the users? Can we have a Single access point? Can we customize the authN flow? University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

Access Management technologies for the cloud services Computing & Communications Services www.uoguelph.ca/ccs

Do you provide Web Access Management on your campus? Do you provide authentication for cloud services? How? Shibboleth? CAS? ADFS? Other SAML 2 or non-SAML? Custom SSO?

Why Web Access Management? Functions: authN, authZ, SSO, attrs, audit Benefits: Security: secured credentials Password Reuse xkcd.com/792 User experience: single identity, SSO Service Providers:  friction -  retention Identity providers: lower management cost University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

Cloud authentication: the early years SSO mostly as a custom solution Secret token exchanged between the parties Individual solutions  high cost University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

Cloud authentication: the protocols Gartner (2013) “…Gartner estimates a penetration well over 50% worldwide for SAML-based federations..” University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

SOAP What do I need to know? Role Based Access Control (RBAC) Claims Consumer (CC) Attribute Based Access Control (ABAC) Security Assertion Markup Language (SAML) What do I need to know? One Time Password (OTP) Identity Provider (IdP) SOAP Relying Party (RP) JSON Web Token (JWT) Claims Provider (CP) Asserting Party (AP) University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

HTTP & HTTPS GET & POST HTTP - application protocol (RFC 2616) Tech Primer SAML & OAuth SOAP & REST XML & JSON GET & POST HTTP & HTTPS HTTP & HTTPS HTTP - application protocol (RFC 2616) Stateless GET & POST methods in HTTP GET: resource retrieval, preserved in redirects POST: sends data to the server in the body, may be lost in redirects GET http://example.com/stocks.cgi?name=IBM HTTP/1.1 POST https://example.com/authenticate HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 31 username=jane&password=w0rld2u HTTP/1.1 302 Found Location: http://example.org/secure/docs/ Sample response University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

XML & JSON free open standards eXtensible Markup Language Tech Primer SAML & OAuth SOAP & REST XML & JSON GET & POST HTTP & HTTPS eXtensible Markup Language XML & JSON free open standards JavaScript Object Notation <person> <firstName>John</firstName> <lastName>Smith</lastName> <isAnalyst>true</isAnalyst> <phoneNumbers> <phone type="home">123 123-1234</phone> <phone type=“cell">123 123-9999</phone> </phoneNumbers> </person> { "firstName": "John", "lastName": "Smith", "isAnalyst": true, "phone": [ { "type": "home", "number": "123 123-1234" }, { "type": "fax", "number": "123 123-9999" } ] } University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

SOAP & REST Communication protocol Architectural design style Tech Primer SAML & OAuth SOAP & REST XML & JSON GET & POST HTTP & HTTPS Communication protocol SOAP & REST Architectural design style University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

Tech Primer SAML & OAuth SOAP & REST XML & JSON GET & POST HTTP & HTTPS Example of a SOAP fault message (http://www.w3.org/TR/soap12-part1/#faultcodes) <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:m="http://www.example.org/timeouts" xmlns:xml="http://www.w3.org/XML/1998/namespace"> <env:Body> <env:Fault> <env:Code> <env:Value>env:Sender</env:Value> <env:Subcode> <env:Value>m:MessageTimeout</env:Value> </env:Subcode> </env:Code> <env:Reason> <env:Text xml:lang="en">Sender Timeout</env:Text> </env:Reason> <env:Detail> <m:MaxTime>P5M</m:MaxTime> </env:Detail> </env:Fault> </env:Body> </env:Envelope> University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

REST (Roy Fielding 2000) Tech Primer SAML & OAuth SOAP & REST XML & JSON GET & POST HTTP & HTTPS REST (Roy Fielding 2000) University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

SAML 2.0 & OAuth 2.0 AuthN, authZ, attrs Intended for Authorization Tech Primer SAML & OAuth SOAP & REST XML & JSON GET & POST HTTP & HTTPS AuthN, authZ, attrs Intended for Authorization SAML 2.0 & OAuth 2.0 Server-side Web App Web Browser SSO Profile University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

SAML Authentication Flow for Google Apps (Web Browser SSO Profile) Service Provider (Google) Tech Primer SAML & OAuth SOAP & REST XML & JSON GET & POST HTTP & HTTPS GET https://mail.google.com/a/uoguelph.org 1 5 User’s Gmail content returned 2 POST https://www.google.com/a/uoguelph.org/acs 4 GET https://idp.uoguelph.org/SSO?SAMLRequest=... Identity Provider 3 3 SAML Authentication Flow for Google Apps (Web Browser SSO Profile) Browser requests Gmail content Browser redirected to IdP with AuthnRequest IdP identifies the user Browser posts Response to Google with NameID Google returns Gmail content University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

    Tech Primer SAML & OAuth Client/ Claims Consumer (web app) SOAP & REST XML & JSON GET & POST HTTP & HTTPS Accessing app content   1 API calls  6  5 7 2 4 Request authZ code Authorization Server (API Provider) 3 OAuth 2 Authorization flow (Server Side Web App profile) Browser accesses Claim Consumer (CC) Browser redirected to the Authorization Server (AS) User authenticates, AS issues Authorization Code  Browser redirected to CC with  CC posts  to AS CC receives JSON response with Access Token  CC makes an API call to the API Provider with Access Token  University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

More on OAuth 2.0 and OpenID Connect Talk by Ryan Boyd http://www.youtube.com/watch?v=YLHyeSuBspI Getting started with OAuth 2.0 O’Reilly (2012) University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

Solutions, lessons learned and the next steps Computing & Communications Services www.uoguelph.ca/ccs

Challenge: where is my mail? Zimbra Staff, faculty, grads Multiple roles? Transient entitlements? Undergrads Gmail University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

Solution: Single access point Zimbra Mail SSO Middleware determines the correct mail system and routes the user accordingly Gmail University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

Challenge: can we add a business process into the authN flow? Default Google Apps SAML2 AuthN Flow Service Provider (Google) 1 5 User’s Gmail content returned 2 4 UofG Identity Provider 3 3 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

Solution: insert middleware User confirms the Policies served by the Mail SSO Middleware (2a-2c) Service Provider (Google) 1 5 User’s Gmail content returned 2a 4 2b 2c Mail SSO Middleware with the Policy engine UofG Identity Provider 3 3 University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

University of Guelph - Computing & Communications Services - www University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

Availability expectations for WAM? Clustering? Standby infrastructure?

Next steps - opportunities Weak points? Efficiency? Re-used for multifactor authN Build the policy module into the Access Manager authentication University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

And remember - don’t reuse your password Takeaway points With Access Management we can: create a single access point for both email systems build a policy confirmation even into proprietary services With increasing dependencies comes increasing requirement on high availability. Re-used for multifactor authN And remember - don’t reuse your password University of Guelph - Computing & Communications Services - www.uoguelph.ca/ccs

Acknowledgements Universities already on Google Apps - Thank you for sharing your experience with us. University of Guelph Gryph Mail SSO team: Fazil, Hugh, Jill, Leo, Matt, Paul, Rob, Saveena, and Zdenek Computing & Communications Services www.uoguelph.ca/ccs

External identities Predicts 2014: Identity and Access Management (Gartner): “..by 2020 60% identities interacting with the enterprise will come from external IdPs (up from 10% today)…” Are you using (or plan to) social identities on your campus?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.