2010 - fédération des identités et openid

OpenID & SAMLSingle-Sign-on Concepts with Future

&

OpenID & SAMLSingle Sign-On Konzepte mit Zukunft

OpenID & SAML,Identity Federation, SuisseIDStrong Authentication Service

&

OpenID & SAML,Identity Federation, SuisseIDStrong Authentication Service

Robert Ott, Master of Science (Honors), CFO

Fredi Weideli, Master of Computer Science, CTO

clavid ag, Zug

5180

Geneva Application Security Forum 2010March 4th 2010

Robert Ott

- OpenID Representative Switzerland

- CFO, Clavid AG, Switzerland

Agenda

• SECTION 1 OpenID - What is it? How does it work? Integration?

• SECTION 2 SAML - What is it? How does it work?

• SECTION 3 Identity Federation

• SECTION 4 A Word on SuisseID

Geneva Application Security Forum 2010, March 4th 2010

• SECTION 4 A Word on SuisseID

• SECTION 5 Strong Authentication as a Service

• SECTION 6 Further Links / Conclusion / Q&A

SECTION 1

SECTION 1


OpenID

> What is it?

> How does it work?

> How to integrate?

SECTION 1

OpenID - What is it?


> Internet SingleSignOn

> Relatively Simple Protocol

> User-Centric Identity Management

> Internet Scalable

> Free Choice of Identity Provider

> No License Fee

> Independent of Identification Methods

> Non-Profit Organization

OpenID - How does it work?

Identity Providere.g. clavid.ch

User Hans Muster(Domain: www.iid.ch)

AUTHENTICATION


hans.muster.iid.ch

Enabled Service

OpenID=hans.muster.iid.chIdentity URLe.g. hans.muster.iid.ch


3

Identity Providere.g. clavid.com

4, 4a

User Hans Muster


1

5

Enabled Service

e.g. clavid.com

6hans.muster.clavid.com

Caption1. User enters OpenID2. Discovery3. Authentication4. Approval4a. Change Attributes5. Send Attributes6. Validation

2 Identity URLhttps://hans.muster.clavid.com


Step 1: A user decides to use a personalized Internet Service supporting OpenID (e.g. local.ch). The user clicks on

„Login using OpenID“ and enters its OpenID (e.g. hans.muster.iid.ch).

Step 2: The requested Internet Service converts the OpenID into an URL (http://hans.muster.iid.ch) and requests

this URL in order to receive the Identity Provider of the user.

Step 2a: In this example, the user has delegated its OpenID to the Identity Provider clavid.ch.

Step 3: The Identity Provider provides possible authentication methods for that specific user (in this case

“Password”). Having successfully authenticated, the next step (approval) is initiated.

Step 4: The user decides on the values of the requested attributes to be provided to the Internet Service. The


Step 4: The user decides on the values of the requested attributes to be provided to the Internet Service. The

Identity Provider usually provides user specific Personas (attribute templates) to assist the user in this

approval process.

Step 4a: At this point, the user may decide to change attribute values and store them on the Identity Provider for

future approvals for that specific service. Thus, a user can automate future approvals for specific Internet

Services.

Step 5, 6: The attribute values are then signed and communicated from the Identity Provider to the Internet

Service. The Internet Service validates the signature of the provided attributes and finally accepts the user

to be authenticated.

OpenID - User Centric Identity Management

Username

Password

Username

Password

Username

Password

Username

Password

OpenID Provider

TODAYTOMORROW? FUTURE ?


Password Password

OpenID - How to Integrate?

Assumptions concerning your current Site• Users sign in with their username and password• There is a form, where new users have to register• Each user is identified by a unique ID in your database• A settings page let users manage their account info


Recipe• Extend the database to map the OpenIDs to the user IDs• Extend the registration page with an OpenID input field• Extend the sign in page with an OpenID input field• Extend the settings page to attach and detach openIDs


Ingredients

• A OpenID Consumer Library

• The Standard OpenID Logos


• The Standard OpenID Logos

• An OpenID Provider to test your site with


OpenID Libraries

Language Library

C# DotNetOpenId, ExtremeSwank

C++ Libopkele

Java NetMesh InfoGrid LID, OpenID4Java, joid

Perl Net::OpenID, OpenID4Perl


Perl Net::OpenID, OpenID4Perl

Python JanRain

Ruby JanRain, Heraldry

PHP Jan Rain, Zend Framework OpenID Component, Saeven.net's JanRain Service Utility Class, Taral, Simple Class, sfOpenIDPlugin, CakePHP, EasyOpenID, OpenID For PHP, AuthOpenID Snippet

Coldfusion CFKit OpenID, CFOpenID, OpenID CFC

Apache 2 mod_auth_openid

SECTION 2

SECTION 2


SECTION 2

SAML

>What is it?

>How does it work?

SAML – What is it?

SAML (Security Assertion Markup Language):

> Defined by the Oasis Group

> Well and Academically Designed Specification

> Uses XML Syntax

> Used for Authentication & Authorization

> SAML Assertions> Statements: Authentication, Attribute, Authorization


> Statements: Authentication, Attribute, Authorization

> SAML Protocols> Queries: Authentication, Artifact, Name Identifier Mapping, etc.

> SAML Bindings> SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact

> SAML Profiles> Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion

Query / Request Profile, Attribute Profile

SAML – How does it work?

User Hans Muster

AUTHENTICATION

Identity Providere.g. clavid.chRedirect with

<AuthnRequest>Access

Resource

Redirect with<Response>

(signed Assertion)


Enabled Service

e.g. Google Appsfor Business

Resource


Identity Providere.g. clavid.ch

User Hans Muster

2

3

4


Enabled Service

e.g. Google Appsfor Business

12

6

4


Step 1: A user decides to use a personalized Internet Service connected to a SAML based Identity provider (e.g. Google Business Application Calendar).

Step 2: The Internet Service recognizes that the user is not logged in yet. A SAML <AuthnRequest> is created and sent via redirect to the Identity Provider.

Step 3: The Identity Provider provides possible authentication methods for that specific user (in this case “YubiKey” OTP). Having successfully authenticated, the next step is initiated.

Step 4: The Identity Provider creates a SAML <Response> containing the user’s identifier for the specific target application. Then it signs the SAML <Response> and sends it via a Post-


specific target application. Then it signs the SAML <Response> and sends it via a Post-Redirect to the Internet Services (e.g. Google Calendar)

Step 5: The Internet Service (e.g. Google Apps) verifies the signature of the SAML <Response> and now knows the user’s identifier provided by the Identity Provider.

Step 6: The Internet Service can now be used by the user.


1) Call Application URL

2) Login

3) Application Usage


SECTION 3

SECTION 3


SECTION 3

Identity Federation

B2B Identity Federation - The Protocol Problem

Company A

Intranet

http

s

Document Management

Internet Service B

TravelTicket Shop

Internet Service A

Proprietary Token

OpenID


SaaS Applications

PersonalRecruting

Internet Service CSAML 1.0

SAML 2.0

B2B Identity Federation - The Protocol Mess

Company A

Intranet

http

s

Document Management

Internet Service B

TravelTicket Shop

Internet Service A

Company B

Intranet Proprietary Token

Proprietary Token

SAML 1.0

SAML 2.0

OpenID


SaaS Applications

PersonalRecruting

Internet Service C

http

s

Company C

Intranet

http

s

Proprietary Token

SAML 1.0

SAML 2.0

SAML 1.0

SAML 2.0

OpenID

OpenID

B2B Identity Federation - The Protocol Solution

Company A

Intranet

http

s

Document Management

Internet Service B

TravelTicket Shop

Internet Service A

Internet Identity Provider

Identity MappingCompany B

Intranet

Proprietary Token

OpenID

Proprietary Token


SaaS Applications

PersonalRecruting

Internet Service C

Bio

met

ric (

AX

Sio

ncs)

SS

L C

ertif

icat

es

eID

(Id

entit

y C

ard)

Mob

ile P

hone

(SM

S)

One

Tim

e P

assw

. (O

TP

)

Inte

rnet

SS

OIn

tern

et S

SO

http

s

http

s

Company C

Intranet

http

s

SAML 1.0

SAML 2.0

OpenID

SAML 2.0

OpenID

B2B Identity Federation - The Protocol Solution

Company A

Intranet

http

s

Proprietary Token

Company B

Intranet

http

s

Company C

Internet Identity Provider

Identity FederationSAML 1.0


Intranet

http

s

Bio

met

ric (

AX

Sio

ncs)

SS

L C

ertif

icat

es

eID

(Id

entit

y C

ard)

Identity Federation

Mob

ile P

hone

(SM

S)

One

Tim

e P

assw

. (O

TP

)

Inte

rnet

SS

Oht

tps

Inte

rnet

SS

Oht

tps

SAML 2.0

SECTION 4

SECTION 4


SECTION 4

A Word on SuisseID

A Word On SuisseID

• SuisseID is currently in Early Draft Specification Phase

• SuisseID should be available for public in spring 2010

• SuisseID cost will be refunded by the Government in 2010

• SuisseID will most probably be:

– A signature certificate

– An authentication certificate


– An authentication certificate

– All certificates conform to ZertES

– Certificates contain a unique SuisseID number

– An Identity Provider Services for attribute exchange

• Eligible SuisseID certificate service providers will be:

– Swiss Post (SwissSign), Swisscom, QuiVadis, Swiss Government

A Word On SuisseID


SECTION 5

SECTION 5


SECTION 5

Strong Authentication as a Service

OpenID - International Identity Providers


Username/Password

Certificates

Biometric

OTP

Clavid Portal for Strong Authentication


Clavid Portal - AXSionics


Clavid Portal - Yubikey


Clavid Portal - Certificates


Clavid Portal - One Time Password


OTP Methods:• OATH HOTP (RFC4226)• Challenge/Response (RFC2289)• Mobile OTP (OpenSource Project)• SMS• ... others ...

Clavid Portal - Personas


Clavid Portal - Login Settings


Clavid Login Dialog


SECTION 6

SECTION 6


SECTION 6

Conclusion

>Further References

>Questions & Answers

>Contact Information

Further Links: on OpenID

> http://en.wikipedia.org/wiki/OpenID

> http://en.wikipedia.org/wiki/List_of_OpenID_providers

OpenID Identity Providers can be found at:


> http://www.openiddirectory.com/openid-providers-c-1.html

> http://www.clavid.com/ (Strong Authentication in Europe)

Conclusion

> OpenID: An open, well documented specification allowing Internet Single

Sign-On (SSO) for individual “Public Services” (B2C)

> SAML: Trust based Internet and Intranet Single Sign-On for Business

Services (B2B)

> Professional Identity Providers already in place


> Professional Identity Providers already in place

> User Centric Identity Management already integrated

> Join OpenID Switzerland in order to increase the OpenID momentum

> Enable your Internet Services to support OpenID or SAML !!!

Demo

> SAML-Login to Google Business Apps using

AXSionics Fingerprint

> SAML-Login to Salesforce.com using YubiKey OTP


> OpenID login to local.ch using Swiss PostZertifikat

> Online Identity Administration (Clavid Portal)

Questions & Answers


Contact Information


2010 - fédération des identités et openid

Technology