external and federated identities on the web
play

External and Federated Identities on the Web Jan Pazdziora Sr. - PowerPoint PPT Presentation

Apr 18, 2023 •288 likes •542 views

External and Federated Identities on the Web Jan Pazdziora Sr. Principal Software Engineer Identity Management Special Projects, Red Hat 1 st October 2015 Scope and problem statement Applications get deployed in large organizations and

  1. External and Federated Identities on the Web Jan Pazdziora Sr. Principal Software Engineer Identity Management Special Projects, Red Hat 1 st October 2015

  2. Scope and problem statement ■ Applications get deployed in large organizations and across them. ■ What are the recommendations for application developers concerning authentication and access control methods and protocols that they should support? Problem statement Jan Pazdziora 2 / 24

  3. Application-level authentication Typical small application approach ■ Own database schema for users, passwords, and access policies. Web application ⇑ auth ⇘ pass control user's browser database Apache → (possibly on HTTP Server separate host) Web server host Users in Web applications Jan Pazdziora 3 / 24

  4. Application-level authentication Pros: ■ Integrated user management, without external dependencies. ■ Closely linked to custom data, including access control. Cons: ■ In large organizations, users already exist in central identity management systems. ■ LDAP, IdM/FreeIPA, Active Directory (AD), ... ■ With policies for access control. ■ Noone will sync the users manually. Users in Web applications Jan Pazdziora 4 / 24

  5. Application-level LDAP auth Developers told user identities are in LDAP ■ Typical solution: add LDAP support to the application (or framework). LDAP Web application to ⇒ auth identity ⇑ user's browser management server pass control Apache → HTTP Server Web server host Users in Web applications Jan Pazdziora 5 / 24

  6. Application-level LDAP auth Pros: ■ Organization's primary identity source is used. Cons: ■ Getting all aspects of LDAP operations right is not easy. ■ Authentication to the LDAP server. ■ Failover, DNS discovery. ■ Multiple domains and forests (AD). ■ Every new framework / project starts from scratch. ■ Usually only login + password supported. ■ Kerberos / GSSAPI, smartcard, or two-factor authentication usually done via different means. Users in Web applications Jan Pazdziora 6 / 24

  7. Front-end (Apache) authentication Front-end accepted for some setups ■ Application supports some basic authentication methods. ■ For complex ones, authentication front end (Apache HTTP Server) is used. Web application ⇑ identity pass REMOTE_USER user's browser management server LDAP Apache HTTP Server → to ⇒ mod_authnz_ldap auth Web server host Users in Web applications Jan Pazdziora 7 / 24

  8. Front-end (Apache) authentication Pros: ■ Single solution (Apache modules) possible for various deployments. ■ Failover, caching. ■ Support for Active Directory Global Catalog. Cons: ■ No support for multiple forests (AD). ■ No support for Group Policy Objects (GPO) or centralized host-based access control. ■ While authorization can be done on Apache level, fine-grained access control in the application not easy. ■ Fewer possibilities for nice user management from the application. Users in Web applications Jan Pazdziora 8 / 24

  9. OS-level tools for Web services System Security Services Daemon (SSSD) ■ Used for logon to system (ssh), can be used for Web services as well. Web application ⇑ pass REMOTE_USER + REMOTE_USER_EMAIL, identity, REMOTE_USER_GROUP_N, user's authn, REMOTE_USER_GROUP_1, ... browser authz sources ⇒ ↗ Apache HTTP Server auth → SSSD → mod_authnz_pam + get mod_lookup_identity ↘ info Web server host OS-level tools for Web services Jan Pazdziora 9 / 24

  10. OS-level tools for Web services Pros: ■ Single solution (Apache modules) for various applications. ■ Failover, caching, DNS discovery, cross-forest trust support (Windows users can log in to Web services on Linux). ■ Host-based access control (with IdM/FreeIPA) and GPO support (with AD, via PAM) for central access management. ■ Application can get additional information, not just REMOTE_USER. ■ Better user experience. ■ Fine-grained access control in apps based on group membership. Cons: ■ Fewer possibilities for nice user management from the application. OS-level tools for Web services Jan Pazdziora 10 / 24

  11. Setups within organizations Apache modules typical in large organizations Authentication Access Check Extra User Info mod_auth_kerb Kerberos / GSSAPI mod_auth_gssapi mod_ssl mod_authnz_pam Certificate mod_nss mod_lookup_identity mod_auth_form (provider PAM) 2FA mod_lookup_identity (uses mod_authnz_pam internally) Setups in large organizations Jan Pazdziora 11 / 24

  12. Authentication ■ Identity is established and verified. ■ The identifier (login name) can be further tweaked. SSLVerifyClient require # authenticate with mod_ssl SSLUserName SSL_CLIENT_CERT # r->user = whole certificate data LookupUserByCertificate On # find the user in IPA via SSSD # and set r->user = user login ■ With mod_auth_gssapi and GSS-Proxy, privilege separation possible. Apache process does not need access to keytab. [service/HTTP] mechs = krb5 cred_store = keytab:/etc/gssproxy/http.keytab cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U euid = 48 ■ 2FA (password + one-time code) possible if backend supports it. Setups in large organizations Jan Pazdziora 12 / 24

  13. Authorization / access control ■ Not every authenticated user should be let in. ■ In Windows domain, everyone has Kerberos ticket granting ticket. ■ Avoid require valid-user . ■ Editing Apache .conf files is not very flexible. ■ Delegation to centralized policy definition (IdM, AD) is preferred. # require group crm-admins # do not define policy locally require pam-account crm-production # delegate via PAM # /etc/pam.d/crm-production auth required pam_sss.so # pam_sss.so for SSSD account required pam_sss.so # or other PAM module ■ Applications can run fine-grained access mechanisms based on user group memberships, obtained from external identity sources. Setups in large organizations Jan Pazdziora 13 / 24

  14. Additional info ■ For better user experience, applications need additional attributes. ■ For application-level roles and permissions, applications need group information. ■ Since we have just authenticated/authorized the user in Apache, why not get their attributes as well? LookupUserAttr mail REMOTE_USER_EMAIL " " LookupUserAttr givenname REMOTE_USER_FIRSTNAME LookupUserAttr sn REMOTE_USER_LASTNAME LookupUserGroupsIter REMOTE_USER_GROUP ■ We map SSSD's attributes to environment variables. ■ Application does not need to reach out for the information. ■ And hit another round of "where to get it from? how to authenticate to that source?" issues. Setups in large organizations Jan Pazdziora 14 / 24

  15. Recommendations ■ What are the recommendations for application developers concerning authentication and access control methods and protocols that they should support, for deployments within large organizations? ■ Accept authentication/authorization result from front-end server. ■ REMOTE_USER or other mechanism used. ■ Accept additional user attributes and group membership. ■ REMOTE_USER_EMAIL ■ REMOTE_USER_GROUP_N ■ REMOTE_USER_GROUP_1 ■ REMOTE_USER_GROUP_2 ■ or REMOTE_USER_GROUPS as colon-separated list Setups in large organizations Jan Pazdziora 15 / 24

  16. Users across organizations Application hosted by a provider ■ Users are managed by different organization (the customer). ■ Likely no Kerberos as no HTTP/ service keytab from customer's KDC. ■ No way to reach into customer's internal network, to IdM/FreeIPA or AD. ■ Is our recent recommendation faulty? ■ Actually, it gets even more valid across organizations. ■ With federation, all information about the user comes from the initial authentication exchange. Across organizations' boundaries Jan Pazdziora 16 / 24

  17. SAML Security Assertion Markup Language ■ Getting identity of authenticated user, their attributes, and authorization information from Identity Provider (provided by customer). ■ The single sign-on on the Web. ■ Client side (Service Provider, that hosted solution) implemented by Apache module: mod_auth_mellon. ■ Previous agreement/setup with metadata and public key exchange needed. ■ Good or bad thing depending on point of view. ■ No communication between the Service Provider and Identity Provider needed. ■ Browser handles the redirects of signed data. Across organizations' boundaries Jan Pazdziora 17 / 24

  18. SAML workflow hosted application ⇑ pass info about user Apache ⟶ mod_auth_mellon user's browser Web server host in ↙↗ provider's network HTTP redirects Ipsilon or other IdP ↘↖ → IdM, AD, LDAP (possibly with SSSD) Identity Provider host identity source Across organizations' boundaries Jan Pazdziora 18 / 24

  19. Ipsilon Three-command SAML Identity Provider ■ Install packages, configure, restart Apache. yum install -y ipsilon ipsilon-saml2 ipsilon-authform \ ipsilon-authgssapi ipsilon-infosssd ipsilon-tools-ipa ipsilon-server-install --ipa yes --saml2 yes \ --form yes --gssapi yes \ --gssapi-httpd-keytab /etc/http.keytab \ --info-sssd yes --info-sssd-domain example.test service httpd restart ■ Written in Python, with protocols and providers as plugins. ■ Integrates with FreeIPA/SSSD. ■ SAML, OpenID, Mozilla Persona available. ■ OpenID Connect actively developed. ■ Available in Fedora, coming to RHEL/CentOS soon. Across organizations' boundaries Jan Pazdziora 19 / 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Strong Authentication without Tamper-Resistant Hardware and Application to Federated Identities

Strong Authentication without Tamper-Resistant Hardware and Application to Federated Identities

Strong Authentication without Tamper-Resistant Hardware and Application to Federated Identities Zhenfeng Zhang , Yuchen Wang , Kang Yang Institute of Software, Chinese Academy of Sciences; The Joint Academy of Blockchain

869 views • 25 slides
Open and federated identities with ID4me FOSDEM 2020, 2 February 2020 Vittorio Bertola,

Open and federated identities with ID4me FOSDEM 2020, 2 February 2020 Vittorio Bertola,

Open and federated identities with ID4me FOSDEM 2020, 2 February 2020 Vittorio Bertola, Open-Xchange 1. The problem 2 Our online identity, today The big Internet platforms already create an online identity for us They track us across

312 views • 29 slides
Identities: Mirrors and Windows Our identities from our fingerprints and Facebook profile to

Identities: Mirrors and Windows Our identities from our fingerprints and Facebook profile to

Identities: Mirrors and Windows Our identities from our fingerprints and Facebook profile to our family trees fundamentally shape the ways that we think about, feel, and interact with the world. This neighborhood gives students the

657 views • 14 slides
Staff has concerns over the setbacks of the second floor patio and will be conditioning that the

Staff has concerns over the setbacks of the second floor patio and will be conditioning that the

From: Liska, Andrew <Andrew.Liska@minneapolismn.gov> Sent: Wednesday, August 19, 2020 2:34 PM To: Michael Subject: RE: [EXTERNAL] RE: [EXTERNAL] RE: [EXTERNAL] RE: [EXTERNAL] RE: [EXTERNAL] RE: [EXTERNAL] 1219 31st W Joyce Church Hi,

366 views • 3 slides
Trig Identities An identity is an equation that is true for all values of the variables. Examples

Trig Identities An identity is an equation that is true for all values of the variables. Examples

Trig Identities An identity is an equation that is true for all values of the variables. Examples of identities might be obvious results like Elementary Functions Part 4, Trigonometry 2 x + 2 x = 4 x Lecture 4.8a, Trig Identities and

276 views • 6 slides
Virtual Identities This lesson considers the extent to which people are able to create online,

Virtual Identities This lesson considers the extent to which people are able to create online,

Virtual Identities This lesson considers the extent to which people are able to create online, virtual identities, and whether these reflect real life identities On The Internet Nobody Knows You Are A Dog! This cartoon from the early days

458 views • 17 slides
Analyzing Federated Learning through an Adversarial Lens Arjun Nitin Bhagoji 1 , Supriyo

Analyzing Federated Learning through an Adversarial Lens Arjun Nitin Bhagoji 1 , Supriyo

Analyzing Federated Learning through an Adversarial Lens Arjun Nitin Bhagoji 1 , Supriyo Chakraborty 2 , Prateek Mittal 1 and Seraphin Calo 2 1 Princeton University 2 IBM Research ICML 2019 Federated learning (with a malicious agent) Federated

1.46k views • 59 slides
Docker in the EGI Docker in the EGI Federated Cloud Federated Cloud Carlos Gimeno

Docker in the EGI Docker in the EGI Federated Cloud Federated Cloud Carlos Gimeno

Docker in the EGI Docker in the EGI Federated Cloud Federated Cloud Carlos Gimeno cgimeno@bifi.es Instituto de Biocomputacin y Fsica de Sistemas Complejos info@bifi.es http://bifi.es 0. Index Introduction What is Docker? A

401 views • 14 slides
Federated Machine Learning via Over-the-Air Computation Yuanming Shi ShanghaiTech University 1

Federated Machine Learning via Over-the-Air Computation Yuanming Shi ShanghaiTech University 1

Federated Machine Learning via Over-the-Air Computation Yuanming Shi ShanghaiTech University 1 Outline Motivations Big data, IoT,AI Three vignettes: Federated machine learning Federated model aggregation Over-the-air

1.02k views • 56 slides
Units in quasigroups with Bol-Moufang type identities Natalia N. Didurik and Victor A.

Units in quasigroups with Bol-Moufang type identities Natalia N. Didurik and Victor A.

Introduction Units in quasigroups with classical Bol-Moufang identities Identities defining a CML Results Quasigroup based El Gamal Units in quasigroups with Bol-Moufang type identities Natalia N. Didurik and Victor A. Shcherbacov

472 views • 34 slides
Federated Learning Min Du Postdoc, UC Berkeley Outline q Preliminary: deep learning and SGD q

Federated Learning Min Du Postdoc, UC Berkeley Outline q Preliminary: deep learning and SGD q

Federated Learning Min Du Postdoc, UC Berkeley Outline q Preliminary: deep learning and SGD q Federated learning: FedSGD and FedAvg q Related research in federated learning q Open problems Outline q Preliminary: deep learning and SGD q Federated

616 views • 50 slides
Differentially-Private Federated Linear Bandits Introduction Federated Learning Contextual

Differentially-Private Federated Linear Bandits Introduction Federated Learning Contextual

Differentially- Private Federated Linear Bandits Dubey and Pentland June 2020 Differentially-Private Federated Linear Bandits Introduction Federated Learning Contextual Bandits Summary Background Abhimanyu Dubey and Alex Pentland

437 views • 20 slides
#7 Thinking in possibilities for federated log out. Marcel den Reijer & Fouad Makioui

#7 Thinking in possibilities for federated log out. Marcel den Reijer & Fouad Makioui

#7 Thinking in possibilities for federated log out. Marcel den Reijer & Fouad Makioui February 7, 2017 Supervised by Thijs Kinkhorst & Joost van Dijk Introduction Authentication & Authorization Federated identity SAML 2.0 and

288 views • 24 slides
Group identities for unitary units of group rings Ernesto Spinelli Universit` a di Roma La

Group identities for unitary units of group rings Ernesto Spinelli Universit` a di Roma La

Introduction and Motivations Group Identities for U + ( FG ) Group Identities for Un ( FG ) Group identities for unitary units of group rings Ernesto Spinelli Universit` a di Roma La Sapienza Dipartimento di Matematica G.

1.05k views • 57 slides
Fair Resource Allocation in Federated Learning Tian Li (CMU) , Maziar Sanjabi (Facebook AI), Ahmad

Fair Resource Allocation in Federated Learning Tian Li (CMU) , Maziar Sanjabi (Facebook AI), Ahmad

Fair Resource Allocation in Federated Learning Tian Li (CMU) , Maziar Sanjabi (Facebook AI), Ahmad Beirami (Facebook AI), Virginia Smith (CMU) tianli@cmu.edu 1 Federated Learning 2 2 Federated Learning Privacy-preserving training in

1.19k views • 55 slides
Identity, Power, and Action Week 3 - Day 1 Understand our individual and collective identities and

Identity, Power, and Action Week 3 - Day 1 Understand our individual and collective identities and

Identity, Power, and Action Week 3 - Day 1 Understand our individual and collective identities and how those identities inform our analyses of society. Discussion of Homework Assignment My Identity is a Superpower Not an Obstacle , by America

310 views • 7 slides
Midterm 1 Review Sheet INFO/CSE 100 SPRING 2005 This is a list of topics that we have covered

Midterm 1 Review Sheet INFO/CSE 100 SPRING 2005 This is a list of topics that we have covered

Midterm 1 Review Sheet INFO/CSE 100 SPRING 2005 This is a list of topics that we have covered prior to midterm exam 1. This is not all inclusive of every detail and there may be items on the exam that are not explicitly listed here, but these

254 views • 4 slides
Acquisition Week 2 LBSC 671 Creating Information Infrastructures Muddiest Points Metadata

Acquisition Week 2 LBSC 671 Creating Information Infrastructures Muddiest Points Metadata

Acquisition Week 2 LBSC 671 Creating Information Infrastructures Muddiest Points Metadata Aspects of Metadata Framework Functional Requirements for Bibliographic Records (FRBR) Schema (Data Fields and Structure)

952 views • 43 slides
Wireless Application Protocol ( W A P ) What is WAP? a When does WAP come to existence?

Wireless Application Protocol ( W A P ) What is WAP? a When does WAP come to existence?

Todays Focus? Wireless Application Protocol ( W A P ) What is WAP? a When does WAP come to existence? presentation Why are we using WAP? by How does WAP work? Where is WAP heading? Calvin Chan and Marc Jullion on March

669 views • 4 slides
Web Service Protocols Instructors: Peter Baumann email: p.baumann@jacobs-university.de tel:

Web Service Protocols Instructors: Peter Baumann email: p.baumann@jacobs-university.de tel:

Web Service Protocols Instructors: Peter Baumann email: p.baumann@jacobs-university.de tel: -3178 office: room 60, Research 1 340151 Big Databases & Cloud Services (P. Baumann) 1 Overview HTTP SOAP REST AJAX 340151

683 views • 45 slides
SERVICE-ORIENTED ARCHITECTURE in MOBILE NETWORK Long Nguyen Hoang silver@cc.hut.fi Marek

SERVICE-ORIENTED ARCHITECTURE in MOBILE NETWORK Long Nguyen Hoang silver@cc.hut.fi Marek

SERVICE-ORIENTED ARCHITECTURE in MOBILE NETWORK Long Nguyen Hoang silver@cc.hut.fi Marek Konieczny marek.konieczny@gmail.com Dec 2006 Agenda SOA overview SOA in mobile network Why Mobile SOA WS standards for mobile

548 views • 37 slides
CLOUD POWER NREN collaboration on service delivery and adoption in GANT GN3plus SA7 TF-MSP

CLOUD POWER NREN collaboration on service delivery and adoption in GANT GN3plus SA7 TF-MSP

CLOUD POWER NREN collaboration on service delivery and adoption in GANT GN3plus SA7 TF-MSP March 18, Amsterdam Collaborate, to enable and facilitate our community to use online services on a large scale, with the right conditions

840 views • 66 slides
Alexander Polyakov CTO in ERPScan Alexey Tyurin Director of consulting department in ERPScan

Alexander Polyakov CTO in ERPScan Alexey Tyurin Director of consulting department in ERPScan

Invest in security to secure investments Practical pentesting of ERPs and business applications Alexander Polyakov CTO in ERPScan Alexey Tyurin Director of consulting department in ERPScan Alexander Polyakov CTO of ERPScan EBASS

1.36k views • 109 slides
A Very Short Introduction to Web Services Massimo Mecella Dipartimento di Informatica e

A Very Short Introduction to Web Services Massimo Mecella Dipartimento di Informatica e

A Very Short Introduction to Web Services Massimo Mecella Dipartimento di Informatica e Sistemistica A NTONIO R UBERTI SAPIENZA Universit di Roma mecella@dis.uniroma1.it BASIC CONCEPTS 2 e-Services, Web Services, Services (1) -

677 views • 39 slides

More recommend