openid openid and saml and saml
play

OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona - PowerPoint PPT Presentation

Jan 23, 2024 •446 likes •666 views

Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm, 7 May 2008 EuroCAMP, Stockholm, 7 May 2008 Shib

  1. Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm, 7 May 2008 EuroCAMP, Stockholm, 7 May 2008

  2. Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services What is OpenID for? What is OpenID for? • In principle, an OpenID is a universal username, valid across multiple, unrelated services • E.g., I have fculloch.protectnetwork.org That is an identifier for me • Original idea: avoid creating new accounts for every blog, wiki, etc. Use same OpenID for all • Driver: blogs, wikis etc. starting to require authN because of comment spam EuroCAMP, Stockholm EuroCAMP, Stockholm 7 May 20088 7 May 20088 2

  3. Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services How it works (1) How it works (1) • Login page provides “OpenID” edit box in addition to traditional username/ password • Standardised logo identifies this box to the user • User types OpenID, eg, fculloch.protectnetwork.org • Converted to http:/ / fculloch.protectnetwork.org • User redirected to authentication page at protectnetwork.org, enters password there • Protectnetwork.org confirms to original web site that user entered correct password. User now logged in. EuroCAMP, Stockholm EuroCAMP, Stockholm 7 May 20088 7 May 20088 3

  4. Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services Terminology Terminology • Relying Party (RP), uses OpenID to authenticate users – Analogous to SAML Service Provider (SP) • OpenID Provider (OP), is a server identified by an OpenID. – OP invoked by RP to find out if the user sitting at the browser knows the password for claimed OpenID – Analogous to SAML Identity Provider (IdP) EuroCAMP, Stockholm EuroCAMP, Stockholm 7 May 20088 7 May 20088 4

  5. Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services What is OpenID? What is OpenID? • Conventions for form field name, logo • “An” OpenID is the “username” I type, e.g., fculloch.protectnetwork.org • The protocols used between the RP and the OP (all layered on top of HTTP, versions: 1, 2) • Transport for user attributes from OP to RP • A movement (or bandwagon) • A political programme EuroCAMP, Stockholm EuroCAMP, Stockholm 7 May 7 May 20088 20088 5

  6. Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services What is OpenID not? What is OpenID not? • No association of OpenID with real- world person (bgates.myopenid.org could be anyone) – So more like a traditional username (bgates) than… – …an X.509 personal certificate, where a trusted 3 rd party (the CA) vouches for a real- world name, org. • No association of user with any organisation – c.f. eduPersonScopedAffiliation in SAML feds • Not authoritative source of organisational EuroCAMP, Stockholm EuroCAMP, Stockholm 7 May 20088 7 May 20088 6

  7. Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services Political goals Political goals • “User- centric” identity – OpenID used should be the user’s choice, not the RP’s (or the OP’s) • An OpenID should remain usable if the OP goes out of business, changes its name, DNS reassigned etc. • Ultimately, it must be possible to operate your own OP rather than relying on an infrastructure provider (e.g., a commercial or campus OP) – Lightweight open- source implementations available EuroCAMP, Stockholm EuroCAMP, Stockholm 7 May 20088 7 May 20088 7

  8. Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services How realistic are those goals? How realistic are those goals? • Those “user- centric” properties are what mainly distinguish the way OpenID is used, but… • If anyone can create their own OpenIDs, the original problem (comment spam) isn’t solved • My fculloch.protectnetwork.org “Open”ID is tied to a particular provider. I could set up fculloch.org instead (indirection is allowed) but – It’s harder to set up (vs. AOL, Yahoo! free OpenIDs) – So most users don’t (how many have own EuroCAMP, Stockholm EuroCAMP, Stockholm 7 May 20088 7 May 20088 8

  9. Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services $64,000 question $64,000 question • Will important RPs want to deal with (trust) arbitrary OPs? – To date, many more orgs want to be OPs than RPs – SourceForge may change this, too soon to tell, note: � They require additional registration details � You must still create a trad. username/ password, for use with non- web services – Some potential campus RPs say they won’t trust arbitrary OPs, want to restrict user to campus OP EuroCAMP, Stockholm EuroCAMP, Stockholm 7 May 20088 7 May 20088 9

  10. Shibbolet Shib oleth Develo Developmen ent a t and Su d Supp pport Services t Services Restricting OP choice breaks model Restricting OP choice breaks model • RPs restricting user choice of OP breaks “user- centricity” • RP blacklisting or whitelisting of OPs or individual OpenIDs starts to look a bit like a federation • Without free choice, OpenID is just an alternative authN/ attribute transfer protocol to SAML (protocol war, yawn!) and a much criticised one at that: – Phishing weaknesses EuroCAMP, Stockholm EuroCAMP, Stockholm – Intrinsically unidentified OPs (vs known IdPs in a 7 May 20088 7 May 20088 10 10

  11. Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services How OpenID How OpenID differs from federations differs from federations Trusted 3 rd party Any OP in the world to any (federation) enrols/ verifies RP members from specific community SP can authZ on user’s org. No way to verify any claimed affiliation (ePSA) verified by org. affiliation attribute fed (Usually) rules of anarchic membership, attribute standards. Org. verification enables Inherently discloses privacy- preserving temp ids persistent, cross- service id EuroCAMP, Stockholm EuroCAMP, Stockholm 7 May 7 May 20088 20088 11 11 t RP

  12. Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services But what if…? But what if…? • Groups of RPs, OPs get together to: – agree minimum practices – Whitelist only OPs that meet them (prob. big names) – Standardise the attributes used • That looks more like a federation. I.e., difference is more social than technical (protocol) • If my current OP is not on whitelist, I must move. Can keep same OpenID only if I have set up indirection (unusual, non- trivial). Will users EuroCAMP, Stockholm EuroCAMP, Stockholm 7 May 20088 7 May 20088 12 12

  13. Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services What are we (and others) doing? What are we (and others) doing? • EDINA & University of Kent awarded 7- month study into OpenID, to cover: – What OpenID is and is not (also CardSpace) – What institutions are doing / plan to do (survey, limited UK- only results to date, European input good) – How OpenID relates to SAML feds (specifically UK) – Whether OpenID may be relevant to services using licensed data – Path from institutionally managed IDs to EuroCAMP, Stockholm EuroCAMP, Stockholm 7 May 20088 7 May 20088 13 13

  14. Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services Integrate OpenID with a SAML fed Integrate OpenID with a SAML fed • A UK federation IdP using OpenID (any OP) to authenticate its users: – eduPersonPrincipalName attribute conveys OpenID, e.g., fculloch.protectnetwork.org@ openidbridge.ac.uk – authN only; no user attributes at present – Can SP trust bridge IdP? History of trusted national services in UK. • Example SP using licensed data, e.g., EDINA LLL – An ACL of allowed ePPNs (so not just OpenIDs) EuroCAMP, Stockholm EuroCAMP, Stockholm 7 May 20088 7 May 20088 14 14

  15. Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services Why integrate OpenID & SAML? Why integrate OpenID & SAML? • To allow experimentation with OpenID authN against already deployed SAML SPs – To discover appropriate uses for OpenID (e.g., trial user accounts) • To avoid diversion of effort into adding OpenID RP support to existing SAML SPs where not required • Non- proprietary alternative to existing open- access IdPs (e.g., ProtectNetwork, TypeKey) for SP testing EuroCAMP, Stockholm EuroCAMP, Stockholm 7 May 20088 7 May 20088 15 15

  16. Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services Initial survey feedback Initial survey feedback • Relatively little OpenID familiarity in campuses • Few concrete plans for early deployment • More interest in “campus OP” that would allow users outgoing access to blogs etc. + some level of trust at campus RPs (which would only allow campus OP) � N.B.: not user- centric! • Less interest in correlating arbitrary OpenIDs to real users (e.g. at matriculation or via account linking) � “I can see what’s in it for students, but not for institution” EuroCAMP, Stockholm EuroCAMP, Stockholm 7 May 20088 7 May 20088 16 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no Terminology OpenID

Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no Terminology OpenID

Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no Terminology OpenID Terminology OpenID OpenID OpenID Consumer Identity Provider SAML 2.0 Terminology SAML 2.0 SAML 2.0 Service Provider Identity Provider What is

427 views • 16 slides
Google<-SAML->Zscaler Integration Agenda n What is SAML? n AAA, Testing,

Google<-SAML->Zscaler Integration Agenda n What is SAML? n AAA, Testing,

Summer Webinar Series Google<-SAML->Zscaler Integration Dianne Dunlap (ddunlap@mcnc.org, 919-248-8439) Client Network Engineering Webinar Links: www.mcnc.org/cne-webinars Google<-SAML->Zscaler Integration Agenda n What is

899 views • 63 slides
CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID Connect. However, unlike OpenID Connect, there is direct Relying Party to OpenID Provider communication without redirects through the user's browser.

505 views • 17 slides
OpenID Connect fredag 7 september 12 OpenID Connect fredag 7 september 12 Necessity for

OpenID Connect fredag 7 september 12 OpenID Connect fredag 7 september 12 Necessity for

OpenID Connect fredag 7 september 12 OpenID Connect fredag 7 september 12 Necessity for communication - information about the other part fredag 7 september 12 Trust management not solved! fredag 7 september 12 (1) OP discovery The user

254 views • 23 slides
Research on OpenID and its integration within the GravityZoo framework Jarno van de Moosdijk

Research on OpenID and its integration within the GravityZoo framework Jarno van de Moosdijk

Research on OpenID and its integration within the GravityZoo framework Jarno van de Moosdijk 1/14 Research questions How does OpenID work? What are the requirements for integrating OpenID into the GravityZoo framework? How mobile

268 views • 14 slides
WebRTC Identity in SAML Federations Mihly Mszros May 19, 2015 NIIF Institute Budapest /

WebRTC Identity in SAML Federations Mihly Mszros May 19, 2015 NIIF Institute Budapest /

WebRTC Identity in SAML Federations Mihly Mszros May 19, 2015 NIIF Institute Budapest / Hungary Agenda Education & Research Identity Federations SAML Terminology Overview of SAML auth call flow WebRTC Identity model

1.09k views • 52 slides
SAML 1.1 and its uses in eduGAIN Stefan Winter <stefan.winter@restena.lu> 1 Outline

SAML 1.1 and its uses in eduGAIN Stefan Winter <stefan.winter@restena.lu> 1 Outline

Fondation RESTENA euroCAMP 04 April 2006 SAML 1.1 and its uses in eduGAIN Stefan Winter <stefan.winter@restena.lu> 1 Outline SAML 1.1 overview Abstract operations vs. SAML profile Abstract operations: changes since

165 views • 14 slides
Introduction to OpenID Connect October 23, 2018 Michael B. Jones Identity Standards Architect

Introduction to OpenID Connect October 23, 2018 Michael B. Jones Identity Standards Architect

Introduction to OpenID Connect October 23, 2018 Michael B. Jones Identity Standards Architect Microsoft Working Together OpenID Connect What is OpenID Connect? Simple identity layer on top of OAuth 2.0 Enables RPs to verify identity

831 views • 56 slides
Subverting OpenID: Intro to Net::OpenID::Server Abram Hindle Kitchener/Waterloo Perl Mongers

Subverting OpenID: Intro to Net::OpenID::Server Abram Hindle Kitchener/Waterloo Perl Mongers

Subverting OpenID: Intro to Net::OpenID::Server Subverting OpenID: Intro to Net::OpenID::Server Abram Hindle Kitchener/Waterloo Perl Mongers Canada http://softwareprocess.es/ abram.hindle@softwareprocess.es Abram Hindle 1 Subverting

391 views • 21 slides
OpenID Connect & OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect & OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect & OAuth 2.0 Server for the Enterprise Your enterprise server for single identity sign-on provision identity API access federation management The four Connect2id server pillars Based on the latest standards OpenID

580 views • 26 slides
DIGITAL IDENTITY Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Brief

DIGITAL IDENTITY Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Brief

DIGITAL IDENTITY Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Brief history of user Popular identity identities protocols SAML Single sign-on OpenID InfoCard and CardSpace Federated identity

786 views • 66 slides
A solution for Access Delegation based on SAML Ciro Formisano Ermanno Travaglino Isabel

A solution for Access Delegation based on SAML Ciro Formisano Ermanno Travaglino Isabel

A solution for Access Delegation based on SAML Ciro Formisano Ermanno Travaglino Isabel Matranga Access Delegation in distributed environments SAML 2.0 Condition to Delegate Implementation Future plans Access Delegation in distributed

666 views • 18 slides
Updates Jicofo Authentication : Saml v2 Multibridge support Load balancing

Updates Jicofo Authentication : Saml v2 Multibridge support Load balancing

Updates Jicofo Authentication : Saml v2 Multibridge support Load balancing LastN Nightly support Statistics and logging system News Atlassian has just acquired Blue Jimp, Jitsi will continue to evolve as an

795 views • 17 slides
Towards an OpenID -based solution to the Social Network Interoperability problem M. Mostarda,

Towards an OpenID -based solution to the Social Network Interoperability problem M. Mostarda,

W3C Workshop on the Future of Social Networking, Barcelona January 2009 Towards an OpenID -based solution to the Social Network Interoperability problem M. Mostarda, D. Palmisano, F. Zani, S. Tripodi About Us We are proud member of the W3C

252 views • 21 slides
Using SAML and XACML for Complex Resource Provisioning in Grid based Applications Yuri

Using SAML and XACML for Complex Resource Provisioning in Grid based Applications Yuri

Using SAML and XACML for Complex Resource Provisioning in Grid based Applications Yuri Demchenko, Leon Gommans, Cees de Laat System and Network Engineering Group University of Amsterdam POLICY2007 Workshop 13-15 June 2007, Bologna Outline

532 views • 25 slides
Oasis SSTC F2F 4 th Feb 2004 W25 - Kerberos & SAML John Hughes, Entegrity Solutions Tim

Oasis SSTC F2F 4 th Feb 2004 W25 - Kerberos & SAML John Hughes, Entegrity Solutions Tim

Oasis SSTC F2F 4 th Feb 2004 W25 - Kerberos & SAML John Hughes, Entegrity Solutions Tim Alsop, CyberSafe Limited Current Document Progress Two documents : Generalised AuthnRequest Profiles Working Draft 02, 1st February 2004

239 views • 7 slides
Chapter 1: Introduction to Computer Science and Media Computation Story What is computer

Chapter 1: Introduction to Computer Science and Media Computation Story What is computer

Chapter 1: Introduction to Computer Science and Media Computation Story What is computer science about? What computers really understand, and where Programming Languages fit in Media Computation: Why digitize media? How can it

410 views • 27 slides
LFG Syntactic Theory Winter Semester 2009/2010 Antske Fokkens Department of Computational

LFG Syntactic Theory Winter Semester 2009/2010 Antske Fokkens Department of Computational

Introduction F-structures LFG Syntactic Theory Winter Semester 2009/2010 Antske Fokkens Department of Computational Linguistics Saarland University 17 November 2009 Antske Fokkens Syntax Lexical Functional Grammar 1 / 33 Introduction

718 views • 34 slides
IPv6?? Yawn amiright? Actually, IPv6 adoption is now very robust. E.g.: Google Clients

IPv6?? Yawn amiright? Actually, IPv6 adoption is now very robust. E.g.: Google Clients

Dont Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy Jakub (Jake) Czyz, University of Michigan & QuadMetrics, Inc. Matthew Luckie, University of Waikato Mark Allman, International Computer Science

552 views • 17 slides
TANSU A Workflow for Cabinet Layout Pavneet Arora PART I W Tansu is the Japanese

TANSU A Workflow for Cabinet Layout Pavneet Arora PART I W Tansu is the Japanese

TANSU A Workflow for Cabinet Layout Pavneet Arora PART I W Tansu is the Japanese word for storage unit. Tansu Frank Lloyd Wright designed version of the Imperial Hotel, Tokyo. What problem does it try to solve? Tie need to

786 views • 24 slides
Introduction to Computer Security Session 0 Introduction and Threat Modeling Prof. Nadim

Introduction to Computer Security Session 0 Introduction and Threat Modeling Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 0 Introduction and Threat Modeling Prof. Nadim Kobeissi 0a Introduction Welcome! 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Welcome to your new course! Open

642 views • 35 slides
more on expectation 1 2 properties of expectation properties of expectation Linearity, II

more on expectation 1 2 properties of expectation properties of expectation Linearity, II

properties of expectation Linearity of expectation, I For any constants a, b : E[ aX + b ] = a E[ X ] + b more on expectation 1 2 properties of expectation properties of expectation Linearity, II Note: Linearity is special! Let X

322 views • 5 slides
Informatics 1 Computation and Logic CNF DNF and quantifiers Michael Fourman 1 Boolean Algebra

Informatics 1 Computation and Logic CNF DNF and quantifiers Michael Fourman 1 Boolean Algebra

Informatics 1 Computation and Logic CNF DNF and quantifiers Michael Fourman 1 Boolean Algebra x ( y z ) = ( x y ) z x ( y z ) = ( x y ) z associative x ( y z ) = ( x y ) ( x z ) x ( y

344 views • 17 slides
Key safety messages: The following slides are a subset of the talk provided on 17 May

Key safety messages: The following slides are a subset of the talk provided on 17 May

30/05/2017 17 May 2017 Rural Dividend Event Sue Senger, PhD, RPBio, PAg Windwalker Consulting Services St't'imc Government Services Key safety messages: The following slides are a subset of the talk provided on 17 May 2017 1

439 views • 8 slides

More recommend