Presentation is loading. Please wait.

Presentation is loading. Please wait.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Published byAlfred Brown Modified over 9 years ago

Similar presentations

Presentation on theme: "Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved."— Presentation transcript:

1 Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

2 2 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Overview Integration into enterprise I&AM Identity & Access Management Frameworks Liberty Alliance ID-FF / SAML 2.0 Liberty Alliance ID-WSF Microsoft InfoCard Open Standards SAML 2.0 XML Signature WS-Security WS-Trust Authentication Credentica implementations

3 3 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Integration into enterprise I&AM

4 4 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential DC-enabling a legacy I&AM application WWWWWW AS IdS Internal RPs External RPs Federated RPs Credentica servers CIPS CIVSCAAS Token validation module Client Component X.509 Kerberos LDAP

5 5 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Identity & Access Management Frameworks

6 6 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Liberty Alliance ID-FF / SAML 2.0 DC used only to authenticate with IdP DC used for proactive SSO with SPs DC used for unlinkable authentication with IdP SPaSPb IdP User

7 7 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Liberty Alliance ID-WSF DC-based security mechanism for all message exchanges LUAD can manage authentication and attribute delivery “Certified” Data Service Authority issues DCs to Data Service during Create/Update Data Service uses DCs to prove Query results to requestors Data Service may be hosted on User device Note: we are addressing requirements together with Liberty Alliance TEG (we are a member)

8 8 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Microsoft “InfoCard” IC Issuer provides ic:InfoCard and DCs to User User device proves required claims to Relying Parties IC Issuer is out of the loop Note: we are currently exploring tight integration into InfoCard with Microsoft

9 9 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Open Standards

10 10 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential SAML 2.0 Profiles of usage patterns involving multiple parties Bindings of their messages to specific communications mechanisms Protocols that define the messages themselves An Assertion format that conveys Statements about a Subject from an Issuer

11 11 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential SAML Assertion May contain any number of Statements relating to An authentication event Some attributes An authorization decision Or any other app-specific information May contain usage Conditions and Advice May be signed by its issuer...which may create a digital wake

12 12 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential DC-based SAML Assertion Subject can construct a SAML Assertion with: Statements derived from certified attributes Digital Credential public key Issuer's signature DC proof of Statements Relying party verifies DC proof No more digital wake

13 13 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential XML Signature Holds a SignatureValue made using a key described by KeyInfo and computed using some SignatureMethod over a canonicalized SignedInfo holding one or more Reference elements that refer to...and hold digests of any data

14 14 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential DC-based XML Signature KeyInfo can contain or refer to a DC public key New SignatureMethod Algorithm URI for DC-based signature

15 15 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential WS-Security Provides security services for SOAP "Security tokens" in SOAP headers provide Message integrity Message confidentiality Digital Credential integrity protection using: DC-based SAML Assertion security token DC-based XML Signature over message

16 16 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential WS-Trust Defines a Security Token Service Exchanges one kind of token for another Issuance binding to issue Digital Credentials Validation binding to verify DC showings

17 17 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Authentication

18 18 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Authentication at different layers Network Layer No changes required for applications DC used by VPN clients ISAKMP for IPsec Transport Layer May require changes to applications, but only to plumbing DC used by application clients TLS cert_type hello extension Application Layer Requires localized changes to applications SPKM for GSS-API – Integration into CORBAsec, GSS-API users, and SASL users Liberty Alliance SAEG TMa spec (“iClient” originating from Intel)

19 19 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Credentica implementations

20 20 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Implementations Now: Java Servlets for DC issuance and verification Nokia S60 Browser “filter” for DC issuance and use Java Applet for DC issuance and use Mozilla Firefox Extension (experimental) Future Possibilities: Internet Explorer Browser Helper Object Windows SSP/AP for local and network logon Authentication Modules for major I&AM suites – Sun Java System Access Manager – HP OpenView Select Access – Etc…

Download ppt "Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved."

Similar presentations

Authentication.

Authentication.
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
OOI-CI–Ragouzis–2007.10.15 Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop 17-19 October 2007.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
Web Service Security CS409 Application Services Even Semester 2007.

Web Service Security CS409 Application Services Even Semester 2007.
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Government Online – White Paper Companion – Copyright © 2007 Credentica Inc. All Rights Reserved. This presentation is animated. Press the “space bar”

Government Online – White Paper Companion – Copyright © 2007 Credentica Inc. All Rights Reserved. This presentation is animated. Press the “space bar”
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.

Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.
Web services security I

Web services security I
Prashanth Kumar Muthoju

Prashanth Kumar Muthoju

Similar presentations

Ads by Google