a a a
TRANSCRIPT
Aut hent i cat i on
Basic security requirement Request some form of authentication from a
user, server or software Verify that the authentication information
received is correct
Aut h i n Your appl i cat i on
You have the list of users/passwords You have control The user doesn’t have control Doesn’t scale (for you or for your users)
Scal i ng probl em f or you
If you have multiple sites/services there’s no easy way to share accounts
Duplication of user data and more configuration
…
Scal i ng probl em f or t he user I have:
5 email/webmail accounts 2-3 im accounts 2 secure tokens for electronic banking 10+ linux accounts 200+ user accounts on various websites (most of
which I don’t even remember I have) ..and the list goes on
Out sourced/ Di st r i but ed Aut hent i cat i on Clear separation of functionality Better control/storage of user database Main advantages are increased scalability and
SSO (Single Sign On)
I dent i t y Provi der
a computer system that issues credentials to individual end users and also verifies that the issued credentials are valid.
For OpenID it’s called an OpenID Provider Both creates the usernames/openids/etc. and
does the authentication for them.
Servi ce Provi der
The site that wants to verify the end-user's identifier.
Also called “Relying Party”
Out sourced Aut hent i cat i on Types Centralized (CAMS, or your own solution) Federated (Shibboleth) Decentralized (OpenID)
CAMS
Proprietary (http://www.cafesoft.com/products/cams/camsOverview.html)
Integration with J2EE servers, Apache Pretty good documentation/resources for a
closed/commercial solution
Cent ral i zed Aut hent i cat i on You can make your own Allows better control over Authentication,
but also provides more possibilities for Authorization and Accounting
Single point for improvements ..but also Single Point of Failure…
Shi bbol et h
Federated authentication and authorization. Open-source and based on open standards
(OpenSAML) Used in Higher Education in
England/Germany http://shibboleth.internet2.edu/
Shi bbol et h - Federat ed
IdPs and SPs are grouped into Federations Federations are based on Trust Example: UK Higher Education Federation,
Deutsches Forschungsnetz Federation
Shi bbol et h - Advant ages
Best suited for Universities or other types of institutions
A service provider only needs to know I am from University/Institution X (which they provide a service to) and not who exactly I am
Where Are You From service – easy finding of your IdP
Shi bbol et h - Support
Everything is open-source and there’s a lot of documentation available
Apache2 module available JAAS SecurityFilter available Some WAYF implementation samples
available
OpenI D - Advant ages
+ open + gained wide adoption from major players
(Google, Microsoft, Yahoo!) + fully decentralized + lots of application/framework/language
support
OpenI D - Di sadvant ages
- an OpenID is a URL - no standard/specification way for something
like a wayf service - no trust network - big phishing target