AAA

Authentication (topic of the day) Authorization Accounting

Why 3 A’s ?

It’s more modular/flexible More secure Good code/design practice

Aut hent i cat i on

Basic security requirement Request some form of authentication from a

user, server or software Verify that the authentication information

received is correct

Aut hent i cat i on Mechani sms Something you know Something you have Something you are

Somet hi ng you know

Username Password Answer to a question (think CAPTCHA)

Somet hi ng you have

IP Address Security Token Electronic signature

Somet hi ng you are

Fingerprint Iris scan Other biometric scans

So what does al l t hat do? It proves that you are a…

Directory Entry

Who aut hent i cat es a user? Your application Someone else (outsourcing is cool)

Aut h i n Your appl i cat i on

You have the list of users/passwords You have control The user doesn’t have control Doesn’t scale (for you or for your users)

Scal i ng probl em f or you

If you have multiple sites/services there’s no easy way to share accounts

Duplication of user data and more configuration

…

Scal i ng probl em f or t he user I have:

5 email/webmail accounts 2-3 im accounts 2 secure tokens for electronic banking 10+ linux accounts 200+ user accounts on various websites (most of

which I don’t even remember I have) ..and the list goes on

Out sourced/ Di st r i but ed Aut hent i cat i on Clear separation of functionality Better control/storage of user database Main advantages are increased scalability and

SSO (Single Sign On)

Some concept s

I dent i t y Provi der

a computer system that issues credentials to individual end users and also verifies that the issued credentials are valid.

For OpenID it’s called an OpenID Provider Both creates the usernames/openids/etc. and

does the authentication for them.

Servi ce Provi der

The site that wants to verify the end-user's identifier.

Also called “Relying Party”

Out sourced Aut hent i cat i on Types Centralized (CAMS, or your own solution) Federated (Shibboleth) Decentralized (OpenID)

CAMS

Proprietary (http://www.cafesoft.com/products/cams/camsOverview.html)

Integration with J2EE servers, Apache Pretty good documentation/resources for a

closed/commercial solution

CAMS Archi t ect ure

Cent ral i zed Aut hent i cat i on You can make your own Allows better control over Authentication,

but also provides more possibilities for Authorization and Accounting

Single point for improvements ..but also Single Point of Failure…

Shi bbol et h

Shi bbol et h

Federated authentication and authorization. Open-source and based on open standards

(OpenSAML) Used in Higher Education in

England/Germany http://shibboleth.internet2.edu/

Shi bbol et h - Federat ed

IdPs and SPs are grouped into Federations Federations are based on Trust Example: UK Higher Education Federation,

Deutsches Forschungsnetz Federation

Shi bbol et h - Advant ages

Best suited for Universities or other types of institutions

A service provider only needs to know I am from University/Institution X (which they provide a service to) and not who exactly I am

Where Are You From service – easy finding of your IdP

Shi bbol et h – Browser POST

Shi bbol et h – Browser Art i f act

Shi bbol et h - WAYF

Shi bbol et h - Support

Everything is open-source and there’s a lot of documentation available

Apache2 module available JAAS SecurityFilter available Some WAYF implementation samples

available

OpenI D

OpenI D

Is: An open, decentralized single-sign-on standard a URL A Foundation A buzzword

OpenI D - Advant ages

+ open + gained wide adoption from major players

(Google, Microsoft, Yahoo!) + fully decentralized + lots of application/framework/language

support

OpenI D - Di sadvant ages

- an OpenID is a URL - no standard/specification way for something

like a wayf service - no trust network - big phishing target

OpenI D – Demo(s)

Q&A