federated identity providers
play

Federated Identity Providers and the Ipsilon project Simo Sorce - PowerPoint PPT Presentation

Apr 20, 2023 •241 likes •480 views

Federated Identity Providers and the Ipsilon project Simo Sorce Sr. Princ. Sw. Engineer, Red Hat 2015/02/06 What is Federation ? In a nutshell: Dealing with users that you do not control on your own. To do that you need to trust a third party

  1. Federated Identity Providers and the Ipsilon project Simo Sorce Sr. Princ. Sw. Engineer, Red Hat 2015/02/06

  2. What is Federation ? In a nutshell: Dealing with users that you do not control on your own. To do that you need to trust a third party 2 Simo Sorce – DevConf.cz

  3. Trusting a third party An organization wants to offer services to another which “owns” the users identities. ● User's org controls what is disclosed about the user ● User does not need to know additional credentials ● Third party does not need full view of the users store redcat.omg foogle.omg ? user 3 Simo Sorce – DevConf.cz

  4. Trusting a third-third party Federation is also used when another party need access to data on the user's behalf . ● Also know as delegation . ● The third party only get access to specific user data ● The user/org. is in control of the permissions granted mydata.omg user redcat.omg slurpIn.omg ? user's data 4 Simo Sorce – DevConf.cz

  5. Not Federation Surrendering credentials is not federation. ● User's org. has no control, breach of privacy. ● User has no control on what the 3 rd party will actually do with the credentials. ● 3 rd party has liabilities it shouldn't want. ● No Single-sign-on. foogle.omg user@Foogle.omg user@Foogle.omg user slurpIn.omg + password + password user's contacts 5 Simo Sorce – DevConf.cz

  6. Federation protocols Most federation protocols are web/HTTP oriented ● Some authentication flows depend on a user sitting in front of a browser ● Non-interactive modes are available in some cases ● Delegation modes are non interactive (but may depend on interactive modes for setting up the delegation) To name a few: ● SAML, OpenId, OpenId Connect, Persona, ... 6 Simo Sorce – DevConf.cz

  7. How does it work ? 7 Simo Sorce – DevConf.cz

  8. Glossary Identity Provider ● Server that authenticate users ● Or provides enough data to verify an authentication assertion Service Provider / Relaying Party ● Server that needs authentication by a third party Identity Provider ● The system the user is trying to access (directly or indirectly like in the delegation case) 8 Simo Sorce – DevConf.cz

  9. SAML Key aspects: ● Requires agreement between parties ● exchange of metadata and public keys ● The Identity Provider can choose what data to send ● third parties receive assertions with attributes ● Data can be encrypted ● Single-sign-on friendly ● Support also single-logout and administrative logout ● Enterprise oriented ● Based on XML and SOAP on top of HTTP ● Spec by OASIS 9 Simo Sorce – DevConf.cz

  10. SAML Example auth flow: No direct communication between SP and IdP is necessary at login time, thanks to previous metadata redcat.omg jomo.omg exchange. 303 303 [auth] The Identity Provider (IdP) The SP redirects the user to receives the SP's request and the IdP to obtain an assertion may asks the user for proof of that the user is valid and identification (if needed). authenticated. The assertion If all checks pass the IdP contains attributes that identify User @ redcat redirects the user back to the the user. SP to hand it an assertion. (browser) 10 Simo Sorce – DevConf.cz

  11. OpenID Connect Key aspects: ● Supports user-driven consent ● Users may be allowed to tell the IdP to trust arbitrary third-parties (Idp does not need to trust the RP) ● Users can be allowed to decide whether to allow or deny authentication requests and what data to send ● Completely different from OpenID 1.0/2.0 ● Consumer Oriented ● Based on REST, JSON and Oauth 2.0 11 Simo Sorce – DevConf.cz

  12. OpenID Connect Example auth flow: Token needs to be validated online by Idp redcat.omg jomo.omg validation 303 303 [auth] The Identity Provider (IdP) The RP redirects the user to receives the request and may the IdP to obtain an asks the user for proof of authentication token . identification (if needed). If all checks pass the IdP redirects the user back to the User @ redcat SP to hand it a token. (browser) 12 Simo Sorce – DevConf.cz

  13. Persona Key aspects: ● Privacy oriented ● The Idp doesn't get to know each and every user's move ● Requires a browser plugin or some complex javascript ● Based on email address for identity ● requires a public website to host the Idp public certificate ● Uses crypto to generate custom user certificates ● Uses custom public/private key protocol ● The protocol is called BrowserID 13 Simo Sorce – DevConf.cz

  14. Persona Example auth flow: Only fetches public certificate redcat.omg jomo.omg validation [signs The RP obtains a signed The Identity Provider (IdP) is token] assertion and the user's queried only to authenticate and certificate and uses the IdP obtain a user certificate valid for public cert. to establish a short period. authenticity. User @ redcat (browser) 14 Simo Sorce – DevConf.cz

  15. The Ipsilon project 15 Simo Sorce – DevConf.cz

  16. Ipsilon A pluggable Identity Provider Supports multiple authentication methods Supports multiple Federation protocols Provides tools for easy installation, configuration and management Not an Identity Management server 16 Simo Sorce – DevConf.cz

  17. Ipsilon The server is built in python ● Best run in mod_wsgi ● Standalone mode via cherrypy ● Plugins are “drop-in” Clients available for apache ● Native C modules ● mod_auth_mellon (for SAML) 17 Simo Sorce – DevConf.cz

  18. Merged with FedOAuth FedOauth ● Current Fedora authentication system ● Implemented OpenID ● Written in python too Merged into Ipsilon ● Merge complete in December 2014 ● Rolling the merged Ipsilon project in Fedora Infrastructure right now 18 Simo Sorce – DevConf.cz

  19. Ipsilon authentication Supports authentication via ● any apache module ● direct LDAP binds ● Kerberos ● Chaining to other IdP ● IPA / AD / etc... ● Supports fetching info via ● LDAP ● Nsswitch ● Other IdP 19 Simo Sorce – DevConf.cz

  20. Ipsilon protocol support Federation protocols: ● SAML ● Uses lasso/xmlsec1 libraries ● Main focus when project was started ● ECP profile in the making ● OpenID ● Ported over from FedOauth ● For Fedora Infrastructure support ● Persona ● Ported over from FedOauth ● OpenID Connect (next) 20 Simo Sorce – DevConf.cz

  21. Demo 21 Simo Sorce – DevConf.cz

  22. Ipsilon roadmap Integration with FreeIPA should be seamless ● Automatic configuration during setup REST API ● For all admin operations ● For SAML SP registration Protocols: ● Improve SAML support ● OpenID Connect ● More auth/info plugins ● kx509 ? 22 Simo Sorce – DevConf.cz

  23. Questions ? Project points of contact: http://fedoraproject.org/ipsilon #ipsilon on Freenode Feedback about this talk: http://devconf.cz/f/24 23 Simo Sorce – DevConf.cz

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Modelling and Analysing an Identity Federation Protocol: Federated Network Providers Scenario

Modelling and Analysing an Identity Federation Protocol: Federated Network Providers Scenario

Modelling and Analysing an Identity Federation Protocol: Federated Network Providers Scenario Maurice ter Beek (FMT, ISTICNR, Pisa, Italy) joint work with Marinella Petrocchi (IITCNR, Pisa, Italy) Corrado Moiso (Telecom Italia, Torino,

559 views • 28 slides
Lets get a federated identity Do you have access to your email? Youll need a valid email

Lets get a federated identity Do you have access to your email? Youll need a valid email

Lets get a federated identity Do you have access to your email? Youll need a valid email address Intro to Federated Identity Do you have an account from Protect Network or Twitter You can skip ahead! EuroCAMP Training for

104 views • 7 slides
2nd Meeting of ICAC Federated Identity Status & Plans Mine Altunay October 15, 2019 Current

2nd Meeting of ICAC Federated Identity Status & Plans Mine Altunay October 15, 2019 Current

2nd Meeting of ICAC Federated Identity Status & Plans Mine Altunay October 15, 2019 Current Status Adoption of Federated Identity and Access Control is one of the top priorities for the lab Crucial for our success with DUNE,

403 views • 13 slides
Authoritative Quality From Campus Identity Management to a Federated Solution EuroCAMP, Porto,

Authoritative Quality From Campus Identity Management to a Federated Solution EuroCAMP, Porto,

Authoritative Quality From Campus Identity Management to a Federated Solution EuroCAMP, Porto, 2005-11-07 Ingrid Melve, FEIDE manager From campus identity management to a federated solution Case: FEIDE Campus Identity Management 2

655 views • 30 slides
EUDAT: Towards a pan-European Collaborative Data Infrastructure Federated Identity Management and

EUDAT: Towards a pan-European Collaborative Data Infrastructure Federated Identity Management and

EUDAT: Towards a pan-European Collaborative Data Infrastructure Federated Identity Management and Access Control Mark van de Sanden SARA, The Netherlands Terena VAMP workshop Utrecht, 6-7 September 2012 Outline Project Core Services

435 views • 16 slides
#7 Thinking in possibilities for federated log out. Marcel den Reijer & Fouad Makioui

#7 Thinking in possibilities for federated log out. Marcel den Reijer & Fouad Makioui

#7 Thinking in possibilities for federated log out. Marcel den Reijer & Fouad Makioui February 7, 2017 Supervised by Thijs Kinkhorst & Joost van Dijk Introduction Authentication & Authorization Federated identity SAML 2.0 and

288 views • 24 slides
FIM4L Federated Identity Management for Libraries Nick Roy 40th REFEDS Meeting Tallinn, Estonia

FIM4L Federated Identity Management for Libraries Nick Roy 40th REFEDS Meeting Tallinn, Estonia

FIM4L Federated Identity Management for Libraries Nick Roy 40th REFEDS Meeting Tallinn, Estonia 1 The Beginning Project AARC presentation at LIBER 2018 conference in Lille, by Peter Gietz (DAASI international), Jiri Pavlik (Moravian

736 views • 11 slides
DIGITAL IDENTITY Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Brief

DIGITAL IDENTITY Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Brief

DIGITAL IDENTITY Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Brief history of user Popular identity identities protocols SAML Single sign-on OpenID InfoCard and CardSpace Federated identity

786 views • 66 slides
Data Services Integration Team WP1 Federated Identity Paul Millar, Patrick Fuhrmann, Bernd

Data Services Integration Team WP1 Federated Identity Paul Millar, Patrick Fuhrmann, Bernd

Data Services Integration Team WP1 Federated Identity Paul Millar, Patrick Fuhrmann, Bernd Schuller, Arsen Hayrapetyan, Marcus Hardt, Shiraz Memon, Shahbaz Memon, Christian Bernardt, Tigran Mkrtchyan, Dennis Klein The grid X.509 (user)

352 views • 17 slides
External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal

External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal

External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal Software Engineer Identity Management Engineering, Red Hat 17 th November 2014 Basic Authentication The only authentication option in 1996 when

393 views • 21 slides
Federated Identity, SSO and Multifactor Authentication June 23 rd , 2017 Computing Services and

Federated Identity, SSO and Multifactor Authentication June 23 rd , 2017 Computing Services and

Computing Services and Systems Development Federated Identity, SSO and Multifactor Authentication June 23 rd , 2017 Computing Services and Systems Development F EDERATED I DENTITY , SSO AND MFA @ THE U NIVERSITY OF P ITTSBURGH Tony Carra

542 views • 12 slides
Identity and Access Management for Federated Resource Sharing: Shibboleth Stories

Identity and Access Management for Federated Resource Sharing: Shibboleth Stories

APAN, Tokyo, 2006 Identity and Access Management for Federated Resource Sharing: Shibboleth Stories http://arch.doit.wisc.edu/keith/apan/ apanShib-060122-01.ppt Keith Hazelton (hazelton@doit.wisc.edu) Sr. IT Architect, University of

430 views • 24 slides
Open and federated identities with ID4me FOSDEM 2020, 2 February 2020 Vittorio Bertola,

Open and federated identities with ID4me FOSDEM 2020, 2 February 2020 Vittorio Bertola,

Open and federated identities with ID4me FOSDEM 2020, 2 February 2020 Vittorio Bertola, Open-Xchange 1. The problem 2 Our online identity, today The big Internet platforms already create an online identity for us They track us across

312 views • 29 slides
IRODS AND FEDERATED IDENTITY AUTHENTICATION CURRENT LIMITATIONS AND PERSPECTIVE Claudio

IRODS AND FEDERATED IDENTITY AUTHENTICATION CURRENT LIMITATIONS AND PERSPECTIVE Claudio

IRODS AND FEDERATED IDENTITY AUTHENTICATION CURRENT LIMITATIONS AND PERSPECTIVE Claudio Cacciari, claudio.cacciari@surfsara.nl SURF UGM 2020, June 10 th 2020 IRODS and SURF SURF is the collaborative organisation for ICT in Dutch education

669 views • 34 slides
External and Federated Identities on the Web Jan Pazdziora Sr. Principal Software Engineer

External and Federated Identities on the Web Jan Pazdziora Sr. Principal Software Engineer

External and Federated Identities on the Web Jan Pazdziora Sr. Principal Software Engineer Identity Management Special Projects, Red Hat 1 st October 2015 Scope and problem statement Applications get deployed in large organizations and

542 views • 24 slides
Kipper a Grid bridge to Identity Federation Andrey Kiryanov Brief The Kipper client

Kipper a Grid bridge to Identity Federation Andrey Kiryanov Brief The Kipper client

Kipper a Grid bridge to Identity Federation Andrey Kiryanov Brief The Kipper client software combines tools and utilities to extend a Web Application to: Enable login via federated SSO like eduGAIN Retrieve a SAML2 Identity Assertion

385 views • 24 slides
reas da UX Composio da UX Produto Objetivo Motivao do do produto trabalho de UX

reas da UX Composio da UX Produto Objetivo Motivao do do produto trabalho de UX

reas da UX Composio da UX Produto Objetivo Motivao do do produto trabalho de UX Reclamaes de usurios Gerenciador de projetos Funcionalidade Atividades planejadas para descobrir os problemas da apresentao

649 views • 44 slides
eScience and Shared Workspaces: Enabler for a next generation research environment

eScience and Shared Workspaces: Enabler for a next generation research environment

eScience and Shared Workspaces: Enabler for a next generation research environment PrimeLife/IFIP Summer School 2010 Helsingborg, 2010-08-04 Christian Weber T-Mobile Chair of Mobile Business & Multilateral S ecurity Institute of

357 views • 23 slides
Bits and Bytes Computer Literacy Lecture 4 29/09/2008 Lecture Overview Lecture Topics

Bits and Bytes Computer Literacy Lecture 4 29/09/2008 Lecture Overview Lecture Topics

Bits and Bytes Computer Literacy Lecture 4 29/09/2008 Lecture Overview Lecture Topics How computers encode information How to quantify information and memory How to represent and communicate binary data The aim is to be able to

752 views • 34 slides
T cell mediated immunity Overview Antigen presenting cells Blood

T cell mediated immunity Overview Antigen presenting cells Blood

Development in the thymus Topics Naive T cells T cell mediated immunity Overview Antigen presenting cells Blood Peripheral lymphoid tissue Co-stimulation Maturation of APC Immunological Ag

430 views • 13 slides
Biotica www.mpatraoneves.pt www.mpatraoneves.pt As convenes internacionais

Biotica www.mpatraoneves.pt www.mpatraoneves.pt As convenes internacionais

www.mpatraoneves.pt www.mpatraoneves.pt www.mpatraoneves.pt www.mpatraoneves.pt Os grandes reptos mundiais Biotica www.mpatraoneves.pt www.mpatraoneves.pt As convenes internacionais www.mpatraoneves.pt www.mpatraoneves.pt M.

754 views • 43 slides
OWASP Top 10 OWASP Top Ten meets JSF Andreas Hartmann Application Security Komponente

OWASP Top 10 OWASP Top Ten meets JSF Andreas Hartmann Application Security Komponente

Agenda Application Security OWASP Top 10 OWASP Top Ten meets JSF Andreas Hartmann Application Security Komponente Application Security Startup 04.04.2013 04.04.2013 2 OWASP Top 10 Agenda Application Security Was ist Application Security

234 views • 8 slides
Module 9 The CIS error profiling technology Florian Fink Centrum fr Informations- und

Module 9 The CIS error profiling technology Florian Fink Centrum fr Informations- und

Module 9 The CIS error profiling technology Florian Fink Centrum fr Informations- und Sprachverarbeitung (CIS) Ludwig-Maximilians-Universitt Mnchen (LMU) 2015-09-15 Florian Fink Module 9 The CIS error profiling technology 2015-09-15 1

347 views • 24 slides
1 QUALITY CONTROL QUALITY ASSURANCE Controlling the software development process

1 QUALITY CONTROL QUALITY ASSURANCE Controlling the software development process

SOFTWARE ENGINEERING SOFTWARE QUALITY - SOFTWARE QUALITY QUALITY COMPONENTS Today we talk about software process quality and Objective quality component: properties that can certification be measured or approximated objectively

228 views • 7 slides

More recommend