Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Liberty Specifications Tutorial Alexandre Stervinou Technical Consultant, RSA Security

Published byGabriel MacPherson Modified over 10 years ago

Similar presentations

Presentation on theme: "1 Liberty Specifications Tutorial Alexandre Stervinou Technical Consultant, RSA Security"— Presentation transcript:

1 1 Liberty Specifications Tutorial WWW.PROJECTLIBERTY.ORG Alexandre Stervinou Technical Consultant, RSA Security astervinou@rsasecurity.com

2 2 Tutorial Outline Introduction to Liberty Alliance Overview & Key Concepts Resources Architecture and Specification documents Phase 1 - ID-FF –Federated identity life-cycle –Metadata –SCR & Interoperability Conformance/Validation –Security Mechanisms Phase 2 - ID-WSF & ID-SIS –Personal profile scenario Privacy & Security Guidelines Business Guidelines

3 3 Identity Crisis Joes Fish Market.Com Tropical, Fresh Water, Shell Fish, Lobster,Frogs, Whales, Seals, Clams

4 4 Open Interaction and Participation Liberty Alliance and Members IETF W3C OASIS OMA Standards Bodies Government Lobby Groups Other technologies MS Passport WS-Federation Vendors/Providers Apache Open Source Community Sun AOL HP Nokia Utilize & Influence Co-operate Media Develop & Deploy Users Requirements

5 5 Key Concepts and Terminology Identity Simplified Sign-On Single Logout Network Identity / Federated Identity Circle of Trust –Principal –Identity Provider (IdP) –Service Provider (SP) –Liberty Enabled Clients or Proxies (LECP) Pseudonyms & Anonymity Authentication Assertion (SAML)

6 6 COMPONENT DEFINITIONEXAMPLE AUTHENTICATION: A level of security guaranteeing the validity of an identity representation Govt issued (Drivers license, social security, Passport) Biometric (Fingerprint, Retinal Scan, DNA) Self-selected (PIN number, secret password) AUTHORIZATION: The provisioning of services or activities based upon an authenticated identity Services based on attributes (e.g,. Travel, entertainment, dining) Transaction consumption Gradient levels of service (e.g., based on employee level) ATTRIBUTES: Traits, profiles, preferences of an identity, device, or business partner Personal consumer preferences (e.g., travel, entertainment, dining) Identity-specific histories (e.g., purchases, medical records, etc.) Device capabilities information (e.g., text-only, video, etc.) Key Concepts Network Identity Concepts

7 7 Partner G Circle of Trust Model Partner A Partner D Partner C Partner B Partner F Partner E Partner H Identity Service Provider (e.g. Financial Institution, HR) Trusted entity Authentication infrastructure Maintains Core Identity attributes Offers value-added services (optional) Affiliated Service Providers Offer complimentary service Don't (necessarily) invest in authentication infrastructure Network Identity Hub Provider Circle of Trust Business agreements SLAs Policies/Guidelines/AUP

8 8 Key Concepts Authentication Assertion (SAML) Authentication Assertion Assertion ID Issuer Issue Instant (timestamp) Validity time limit Audience Restriction Authentication Statement Authentication Method Authentication Instant User account info (IdP pseudonym) User account info (SP pseudonym) Digital Signature of assertion

9 9 Resources Liberty Developer Resource Center www.projectliberty.org/resources/resources.html SAML www.oasis-open.org/committees/security SOAP www.w3.org/2000/xp/Group/ SSL/TLS www.ietf.org/html.charters/tls-charter.html

10 10 Complete Liberty Architecture Liberty Identity Services Interface Specifications (ID-SIS) Liberty Identity Federation Framework (ID-FF) Liberty Identity Web Services Framework (ID-WSF) Enables identity federation and management through features such as identity/account linkage, simplified sign on, and simple session management Enables interoperable identity services such as personal identity profile service, alert service, calendar service, wallet service, contacts service, geo-location service, presence service and so on. Provides the framework for building interoperable identity services, permission based attribute sharing, identity service description and discovery, and the associated security profiles Liberty specifications build on existing standards

11 11 Liberty Meta Data 1.2 Liberty Authentication Context 1.2 ID-FF Protocols and Schemas 1.2 ID-WSF Discovery Service 1.0 ID-WSF Security Mechanisms 1.0 ID-WSF SOAP Binding 1.0 Identity Services Templates Web Services Bindings & Profiles Liberty Reverse HTTP Binding 1.0 Liberty SASL-based SOAP AuthN 1.0 ID-FF Bindings and Profiles 1.2 ID-WSF Interaction Service 1.0 Core Identity Services Protocols ID-SIS ID-FF ID-WSF ID-FF Architectural Overview 1.2 ID-FF Implementation Guidelines 1.2 ID-WSF Data Services Template 1.0 ID-WSF Security & Privacy Overview 1.0 ID-WSF Architecture Overview 1.0 Liberty Trust Model Guidelines Liberty Glossary Normative Non-Normative Coming Soon ID-Personal Profile 1.0 ID-Personal Profile Implementation Guidelines 1.0 ID-Employee Profile 1.0 ID-Employee Profile Implementation Guidelines 1.0 ID-WSF Client Profiles 1.0 ID-WSF Static Conformance Req. 1.0 ID-FF Static Conformance Req. 1.2 ID-WSF Implementation Guidelines 1.0 Liberty Specifications

12 12 Phase 1 - ID-FF Federated identity life-cycle Metadata SCR & Conformance Security Mechanisms Authentication Context

13 13 Federated Identity Life-Cycle

14 14 Metadata Metadata specification extensible framework for describing –cryptographic keys –service endpoints information –protocol and profile support in real time Metadata exchange options: –In-band DNS based discovery –In-band URI based discovery –Out-of-band Classes of metadata: –Entity provider metadata –Entity affiliation metadata –Entity trust metadata Origin and document verification through use of signatures

15 15 Identity Provider Introduction Optional profile Common Domain Cookie –MUST be named _liberty_idp –MUST be base-64 encoded list of IdP succinct Ids –Session or Persistent Common domain established within the identity federation network for use with introduction protocol

16 16 Single Sign On and Federation UserIDPSP Login/Authenticate Introduction cookie Login/Authenticate You have a cookie from IDP, federate accounts? Yes, federate my accounts Redirect to IDP with Authentication Request AuthnRequest Authentication Assertion Issued Redirect to SP Here is my SAML Assertion or SOAP endpoint @ IDP SOAP Process Assertion Start service

17 17 Federating an Identity IdP A Airline, Inc Welcome to Fly Right Airline Group Do you want to federate your Car Rental, Inc. account? SP 1 CarRental, Inc Fly Right Airline Group Welcome John12 Youre signed on. Airline, Inc CarRental, Inc Perform federation Access after Federation Yes Cancel

18 18 Account Federation Details (1) User connects to IdP and authenticates Airline, Inc Fly Right Airline Group Login: Password: John xxx Identity Provider User goes to IdP of his choosing and authenticates himself. For example, using ID and password. UserIDPSP Enter URL, connect to IdP Authentication Request User authentication (e.g., ID and password) Authentication Check Web page is displayed Other authentication methods are possible (e.g. certificate-based, Kerberos, etc.

19 19 Account Federation Details (2) User can choose to federate accounts with the IdP Identity Provider UserIDPSP Service Provider Begin Federation Airline, Inc Fly Right Airline Group Welcome, John You can link the following accounts Car Rental, Inc Yes After authenticating with the IdP other accounts that can be federated are listed Initial authentication Authentication Completed Federation Request

20 20 Account Federation Details (3) Federation initiated at the IdP Identity Provider UserIDPSP Service Provider Authentication Check Car Rental, Inc Fly Right Airline Group ID: Password: Federate with Airline, Inc OK Federation requires connecting to the SP and authenticating once SP login and federation opt-in Federation Processing Redirect to SP for federation User authentication Redirect

21 21 Account Linking and Identity Federation IDP account SP1 account Alias: mr3tTJ Domain: SP_1.com Name: dTvIiR Alias: xyrVdS Domain: SP_2.com Name: pfk9uz John123@idp Federate account John_s@sp1 SP2 account John_0811@sp2 Alias: pfk9uz Domain: IDP_A.com Name: xyrVdS User handles (name identifiers) –Eliminates need for global ID –Prevents collusion between SP1 and SP2 Federate account Alias: dTvIiR Domain: IDP_A.com Name:mr3tTJ Federate account

22 22 Single Sign-on Instead of the SP directly authenticating the user the SP queries the IdP and the IdP issues an authentication assertion (2) User authentication request (from SP) (3) Authentication Assertion issued Identity Provider Service Provider (4) Authentication Assertion sent (1) Initial authentication HTTP redirect

23 23 Single Sign-On (1) User connects to IdP and authenticates Airline, Inc Fly Right Airline Group Login: Password: John xxx Identity Provider User goes to IdP of his choosing and authenticates himself. For example, using ID and password. UserIDPSP Enter URL, connect to IdP Authentication Request User authentication (e.g., ID and password) Authentication Check Web page is displayed Other authentication methods are possible

24 24 Single Sign-On (2) User chooses an SP Airline, Inc Fly Right Airline Group Welcome, John Federated SPs Car Rental, Inc Hotels, Inc Identity Provider UserIDPSP Choose SP or enter URL Service Provider IdP web page is displayed Authentication Request User is connected to the SP he chooses

25 25 Single Sign-On (3) User redirected to IdP based on authentication request from SP Identity Provider UserIDPSP Service Provider User authentication request results in redirect to IdP HTTP Redirect Authentication Request SP can specify the authentication level it requires Authentication Request Authentication Request (redirect)

26 26 Single Sign-On (4) IdP issues an authentication assertion Identity Provider UserIDPSP Service Provider Assertion is generated if user is authenticated and identity at the SP is federated Authentication Assertion Issued If user is not already authenticated at IdP then initial authentication is performed Airline.inc Fly Right Airline Group Login: Password: Issuance of authentication assertion Authentication Request (redirect)

27 27 Single Sign-On (5) Authentication assertion sent from IdP to Sp Identity Provider UserIDPSP Service Provider HTTP Redirect Authentication Assertion sent Secure communication channel (SSL) is required Authentication Assertion sent * Only Browser Post profile ** In Browser-artifact profile the IdP and SP would exchange the authentication assertion between themselves (back-channel) Authentication Assertion sent (SOAP) Authentication Assertion Issued Authentication Assertion Sent (redirect)

28 28 Single Sign-On (6) SP checks the authentication assertion and allows access to service Identity Provider UserIDPSP Service Provider Check authentication assertion Start service Service started Car Rental.inc Fly Right Airline Group Welcome, John123 [Authenticated] Check authentication assertion

29 29 Single Sign-On Available profiles: –Browser Artifact –Browser POST –LECP

30 30 Browser Artifact Single Sign-On Profile

31 31 Browser POST Single Sign-On Profile

32 32 LECP Single Sign-On Profile

33 33 Single Logout (1) Single logout initiated at the IdP Identity Provider UserIDPSP Service Provider Process logout Airline, Inc Fly Right Airline Group Do you want to logout? Logout from all Service Providers Yes The IdP can offer to logout the user from all sessions that were authenticated by this IdP Authentication Completed Single logout request IdP logout web page is displayed Single logout request Single logout confirmed Single logout response Logout Request Sent * Only SOAP/HTTP-based profile. ** With HTTP Redirect and HTTP GET profiles the user agent contacts each SP directly

34 34 Single Logout Can be initiated at either the IdP or SP Available profiles –HTTP-Based For IdP-initiated: HTTP-Redirect or HTTP GET For SP-initiated: HTTP-Redirect –SOAP/HTTP-based

35 35 IdP-initiated Single Logout SOAP/HTTP-based

36 36 Federation Termination Notification Defederation Can be initiated at either the IdP or SP Available profiles –HTTP-Redirect-Based –SOAP/HTTP-based

37 37 IdP-initiated Federation Termination Notification HTTP-Redirect

38 38 IdP-initiated Federation Termination Notification SOAP/HTTP-based

39 39 Static Conformance Requirements SCR (ID-FF 1.1) describes four profiles and the specific features (required or optional) for each profile –IDP –SP Basic –SP Complete –LECP

40 40 Static Conformance Requirements FeatureIDP ProfileSP BasicSP CompleteLECP Single Sign-On using Artifact ProfileMUST Single Sign-On using Browser POST ProfileMUST Single Sign-On using LECP ProfileMUST Register Name Identifier (IdP Initiated) - HTTP RedirectOPTIONALMUST Register Name Identifier (IdP Initiated) - SOAP/HTTPOPTIONAL MUST Register Name Identifier (SP Initiated) - HTTP RedirectMUST Register Name Identifier (SP Initiated) - SOAP/HTTPMUSTOPTIONALMUST Federation Termination Notification (IdP Initiated) - HTTP Redirect MUST Federation Termination Notification (IdP Initiated) - SOAP/HTTP MUSTOPTIONALMUST Federation Termination Notification (SP Initiated) - HTTP Redirect MUST Federation Termination Notification (SP Initiated) - SOAP/HTTP MUSTOPTIONALMUST Single Logout (IdP Initiated) - HTTP RedirectMUST Single Logout (IdP Initiated) - HTTP GETMUST Single Logout (IdP Initiated) - SOAPMUSTOPTIONALMUST Single Logout (SP Initiated) - HTTP RedirectMUST Single Logout (SP Initiated) - SOAPMUSTOPTIONALMUST Identity Provider IntroductionMUSTOPTIONAL

41 41 Interoperability Validation A vendor becomes eligible to be licensed to use the Liberty Interoperable Logo by asserting compliance against one or more Liberty Alliance SCR conformance profiles and then participating in a Liberty Alliance InterOp event to validate the assertion(s).

42 42 Security Mechanisms Channel Security –SPs authenticate IdPs using IdP server-side certificates –Mutual authorization: SPs configured with list of authorized IdPs and IdPs configured with list of authorized SPs –Before user presents personal authentication data to IdP the authenticated identity of IdP must be presented to the user Message Security –Digital signatures should use key pairs distinct from those used for TLS and SSL, also suitable for long- term –Request protected against replay and responses checked for correct correspondence with issued requests

43 43 Authentication Context Not all SAML assertions are created equally –Different Authorities will issue SAML assertions of different quality How will a consumer of these assertions discriminate? Authentication Context is the information extra to the SAML assertion itself that describes: –Identification, e.g. Physical verification –Physical Protection, e.g. Private Key in hardware –Operational Protection, e.g. N of M controls –Authentication Mechanisms e.g. Smartcard with PIN Gives a consumer of a SAML assertion the information they need in order to determine how much assurance to place in the assertion

44 44 Authentication Context Liberty defined an XML Schema by which the Authority can assert the context of the SAML assertions it issues Liberty also defined Authentication Context classes – patterns against which an IdP can claim conformance Classes are designed to be representative of todays (and future) authentication technologies, for instance: –Password over SSL –Smartcard –Pre-paid Mobile Login –Biometric

45 45 Authentication Context SPs have a means to say: –I require that the User be authenticated with: Smart card with private key, Password or better, Any mechanism, you decide, I trust your opinion –The assertion you previously sent is insufficient for my current transaction, authenticate the user again IDPs have a means to indicate to the SP the specific details: –Password policy requires 8 characters minimum, e.g. –The User was physically present at registration

46 46 Phase 2 - Basic Flow UserSPIDP Single Sign-On DiscoAP IS Access Site Shipping Address? Use my personal profile Where is attribute provider? Use this attribute provider Give me attributes Redirect UA to AP URL Redirect to AP URL HTTP GET to AP URL Request permission Give permission Redirect to SP HTTP GET Give me attributes Provide attributes In many case, these two entities is co-located, i.e., disco is the part of IDP In this scenario, IS is provided with redirect profile and thus, strictly speaking, IS is not an entity, i.e., IS is one of the functions of AP. check permission save permission check permission

47 47 Security & Privacy Guidelines ID-WSF Security & Privacy Overview –An overview of the security and privacy issues in ID-WSF technology and briefly explains potential security and privacy ramifications of the technology used in ID-WSF Privacy and Security Best Practices –Highlights certain national privacy laws, fair information practices and implementation guidance for organizations using the Liberty Alliance specifications.

48 48 Business Guidelines Federated Identity cannot be successful based on technology alone Address business issues that need to be considered when implementing circles of trust and enabling federated network identity –Mutual confidence –Risk –Liability –Compliance Application: Mobile Deployments Guideline

49 49 Liberty-enabled products & services Communicator (available) Computer Associates (Q4* 2003) DataKey (available) DigiGan (Q3* 2003) Ericsson (Q4 2003) Entrust (Q1 2004) France Telecom (Q4 2003) Fujitsu Invia (available) Gemplus (TBD) HP (available) July Systems (available) Netegrity (2004) NeuStar (available) Nokia (2004) Novell (available) NTT (TBD) NTT Software (available) Oblix (2004) PeopleSoft (available) Phaos Technology (available) Ping Identity (available) PostX (available) RSA (Q2 2004) Salesforce.com (TBD) Sigaba (available) Sun Microsystems (available) Trustgenix (available) Ubisecure (available) Verisign (Q4*) Vodafone (2004) WaveSet (available) *Delivery dates being confirmed

50 50 For more information… WWW.PROJECTLIBERTY.ORG

Download ppt "1 Liberty Specifications Tutorial Alexandre Stervinou Technical Consultant, RSA Security"

Similar presentations

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.
1

1
1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 2 Getting Started.

1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 2 Getting Started.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Copyright © 2003 Pearson Education, Inc. Slide 7-1 Created by Cheryl M. Hughes The Web Wizards Guide to XML by Cheryl M. Hughes.

Copyright © 2003 Pearson Education, Inc. Slide 7-1 Created by Cheryl M. Hughes The Web Wizards Guide to XML by Cheryl M. Hughes.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.
1 Hyades Command Routing Message flow and data translation.

1 Hyades Command Routing Message flow and data translation.
Jeff Mischkinsky Nickolas Kavantzas Goran Olsson Web Services Choreography.

Jeff Mischkinsky Nickolas Kavantzas Goran Olsson Web Services Choreography.
Business Transaction Management Software for Application Coordination 1 www.choreology.com Business Processes and Coordination. Introduction to the Business.

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination. Introduction to the Business.
1 Introducing the Specifications of the Metro Ethernet Forum MEF 19 Abstract Test Suite for UNI Type 1 February 2008.

1 Introducing the Specifications of the Metro Ethernet Forum MEF 19 Abstract Test Suite for UNI Type 1 February 2008.
18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.

18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.
XML Standards Architect

XML Standards Architect
Local Customization Chapter 2. Local Customization 2-2 Objectives Customization Considerations Types of Data Elements Location for Locally Defined Data.

Local Customization Chapter 2. Local Customization 2-2 Objectives Customization Considerations Types of Data Elements Location for Locally Defined Data.
Process a Customer Chapter 2. Process a Customer 2-2 Objectives Understand what defines a Customer Learn how to check for an existing Customer Learn how.

Process a Customer Chapter 2. Process a Customer 2-2 Objectives Understand what defines a Customer Learn how to check for an existing Customer Learn how.
Plan My Care Brokerage Training Working in partnership with Improvement and Efficiency South East.

Plan My Care Brokerage Training Working in partnership with Improvement and Efficiency South East.
Plan My Care Training Care Management Working in partnership with Improvement and Efficiency South East.

Plan My Care Training Care Management Working in partnership with Improvement and Efficiency South East.
Plan My Care Training Care Management Working in partnership with Improvement and Efficiency South East.

Plan My Care Training Care Management Working in partnership with Improvement and Efficiency South East.
PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.

PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.
1 Advanced Tools for Account Searches and Portfolios Dawn Gamache Cindy Bylander.

1 Advanced Tools for Account Searches and Portfolios Dawn Gamache Cindy Bylander.
1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.

1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.

Similar presentations

Ads by Google