Scenario w/ WS-Federation to SAML 2.0 interop challenge for Danish public sector The following slides illustrates in a basic manner the technical/security.

Slides:

Advertisements

Similar presentations

SAML CCOW Work Item: Task 2

Advertisements

Identity Network Ideals – Heterogeneity & Co-existence

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Trusted 3 rd Party Authentication & Friends: SSO and IdM NWACC Security Workshop 2013 Portland.

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

DRAGOLJUB NESIC 08/12/2013 DOES IDENTITY MANAGENT REALLY HAVE TO BE DIFFICULT?

Eric Raff. Usergroup up

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Insight Consulting Siemens Identity Management Survey Conducted April – June 2007 Info

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.

OFC-B317 Overview Identity Management in Office 365 Synchronization Topics Federation Topics Integration of SAML/OAUTH with Office Works with Office.

Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.

Claims Based Authentication

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Web Service Standards, Security & Management Chris Peiris

OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

GC Credential Management Evolution for the OASIS/World Bank eGov Workshop 17 th April, 2009For information, please contact:

Ministry of Science, Technology and Innovation, National IT and Telecom Agency IT Architect Søren Peter Nielsen The Role of SAML for Identity Management.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

Tim Bell 24/09/2015 2Tim Bell - RDA.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Navigating the Standards Landscape Andrew Owen SEARCH.

WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna

Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.

Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.

Windows Server Active Directory Intranet Managed Access Managed Identities Integrated Business Apps.

SWEB SWEB Security and Privacy Technologies – Implementation Aspects Venue:SWEB Day in APV, Novi Sad Author(s):Dr. Milan Marković Organisations:MISANU.

Windows CardSpace Martin Parry Developer Evangelist Microsoft

Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.

Security, Accounting, and Assurance Mahdi N. Bojnordi 2004

Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

Web Services Security Patterns Alex Mackman CM Group Ltd

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.

Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

ESRIN, 15 December 2009 Slide 1 Web Service Security in HMA-T HMA-T Final Presentation 14 December 2009 S. Gianfranceschi, Intecs.

F5 APM & Security Assertion Markup Language ‘sam-el’

ADFS - Does it Still have a Place? Fitting into the EMS puzzle Frank C. Drewes III 2016 Redmond Summit | Identity.

E-Authentication Guidance Jeanette Thornton, Office of Management and Budget “Getting to Green with E-Authentication” February 3, 2004 Executive Session.

Azure Active Directory - Business 2 Consumer

Analyn Policarpio Andrew Jazon Gupaal

Federation Systems, ADFS, & Shibboleth 2.0

HMA Identity Management Status

Identity Federations - Overview

Cryptography and Network Security

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Office 365 Identity Management

Office 365 Identity Management

Example Use Case for Attribute Authorities and Token Translation Services - the case for eduGAIN Andrea Biancini.

Device Registration and Multi-Factor Authentication

Shibboleth 2.0 IdP Training: Introduction

Presentation transcript:

Scenario w/ WS-Federation to SAML 2.0 interop challenge for Danish public sector The following slides illustrates in a basic manner the technical/security challenge for establishing a gateway that can include WS-Federation based service requesters in a Danish public sector SAML 2.0-based federation. Note: The purpose of these slides is to illustrate a technical requirement. In addition, any Identity Provider must be able to fulfill requirements for mature processes, validation of users before issuing credentials. SLA’s etc, etc, to be part of the federation and thus enable the described scenario, but it is beyound the scope of these slides to discuss those requirements. It is also beyound the scope of these slides to discuss how to calculate the extra cost in adding and operating a gateway as well as how to distribute this cost to the partners in the federation Søren Peter Nielsen – 25. september 2006

Loginservice (IdP) Attribute Service Cert Auth Existing pin-codes uid/pw Service Provider - Citizen - Private employee - Public employee Login Web or Local network Danish public sector shared service requirements for maintaining integrity of users identity in a gateway scenario The above is one of the basic use cases for a Danish public sector federated identity concept. The SAML 2.0 standard is for many good reasons the preferred way to support this. However, there is a desire for a gateway function that also includes service requesters supporting only the WS-Federation specification as illustrated on the next slide. Service Provider SAML 2.0

Service Provider - Citizen - Private employee - Public employee Login Web or Local network Danish public sector shared service requirements for maintaining integrity of users identity in a gateway scenario The desired gateway should allow service requesters to enter the federation using the WS-Federation specification and then convert the WS-Federation supplied token (presumably a SAML 1.1 token as user attributes also should be transferred) to a SAML 2.0 token Service Provider - Public employee Login WS-federation w/ SAML 1.1.token SAML 2.0 Gateway WS-FED token  SAML 2.0 token

Service Provider - Citizen - Private employee - Public employee Login Web or Local network Danish public sector shared service requirements for maintaining integrity of users identity in a gateway scenario The issue for the gateway scenario is when the service provider requires High confidence in asserted identity's validity. This requires the assertion to be signed at the point of origin. However, even if WS-Federation allows for signing the SAML 1.1 token this signature cannot be maintained when being converted to a SAML 2.0 token Service Provider - Public employee Login WS-federation w/ SAML 1.1.token SAML 2.0 Gateway requires High confidence in asserted identity's validity requires Some confidence in asserted identity's validity

The problem is To allow external users access to person sensitive data Danish authorities requires High confidence in asserted identity's validity Current WS-Federation implementations like Microsoft’s Active Directory Federation Service does not support the SAML 2.0 token. Even if WS-Federation delivers a signed SAML 1.1 token the signature cannot be maintained during a conversion to the SAML 2.0 token format. Thus, even with a gateway option – service requesters using WS-Federation will still have to rely on other means for authentication when they want to access person sensitive data at other authorities – and thus goes the well-integrated login-experience down the bucket – Single Sign-On is not possible. This is because the gateway option only is able to deliver Some confidence in asserted identity's validity

Reference Brief explaining why Denmark in spring 2005 chose to recommend SAML 2.0 instead of SAML 1.1 for federation in public sector solutions – 28 June 2006 The reference brief is embedded below