federated shibboleth, openid, oauth, and multifactor shibboleth, openid, oauth, and multifactor | 1...
TRANSCRIPT
Federated Shibboleth, OpenID, oAuth, and Multifactor | 1
Federated Shibboleth, OpenID, oAuth, and Multifactor
Russell Beall Senior Programmer/Analyst
University of Southern California [email protected]
Federated Shibboleth, OpenID, oAuth, and Multifactor | 2
University of Southern California
Private research university, founded 1880 Budget:
$2.9 billion annually $560.9 million sponsored research
LocaGons: two major LA campuses six addiGonal US locaGons four internaGonal offices
http://about.usc.edu/facts
Federated Shibboleth, OpenID, oAuth, and Multifactor | 3
University of Southern California
298,000+ affiliated individuals 17,500 undergraduate students 20,500 graduate and professional students 3,400 full-‐Gme faculty 11,800 staff 240,000 alumni 5200 sponsored affiliates with acGve services 157 self-‐registered guest accounts (so far)
Federated Shibboleth, OpenID, oAuth, and Multifactor | 4
Problems solved
Faculty/Staff/Student/Guest access systems of record
automated account creaGon sponsorship and veXng mature access control infrastructure
Federated Shibboleth, OpenID, oAuth, and Multifactor | 5
Problems solved
Federated access self-‐registraGon
no USC account to maintain limited sponsorship/veXng works within mature access control infrastructure
Federated Shibboleth, OpenID, oAuth, and Multifactor | 6
New InteresGng Problems
oAuth OpenID MulGfactor
Federated Shibboleth, OpenID, oAuth, and Multifactor | 7
oAuth and OpenID
AlternaGve to Shibboleth Federated login useful for:
non-‐parGcipants strict access IdPs
replacement of ProtectNetwork
Federated Shibboleth, OpenID, oAuth, and Multifactor | 8
oAuth and OpenID
oAuth – secure Data retrieved on backend
server-‐to-‐server communicaGon trust token exchange secret key/token signing of requests
Not subject to spoofing OpenID – insecure (untrustworthy)
Data returned in HTTP GET parameter Easily spoofed using proxy server
♦ Haven’t run a spoof test, so I may be proven wrong…
Federated Shibboleth, OpenID, oAuth, and Multifactor | 9
MulGfactor
several quality levels: lightweight version
local credenGal plus oAuth local credenGal plus federated Shibboleth
full-‐fledged opGons Gqr
Duo others
Federated Shibboleth, OpenID, oAuth, and Multifactor | 10
MulGfactor
Two types possible with Shib: decided by applicaGon
app chooses other factor(s) and requests as needed authenGcaGon contexts coordinated by SP config
IdP-‐based IdP uses mulGple factors within a single context
Federated Shibboleth, OpenID, oAuth, and Multifactor | 11
Trust
What is the trust model? How do we trust:
a hardware token?
an oAuth authenGcaGon event? a FederaGon member authenGcaGon event?
Federated Shibboleth, OpenID, oAuth, and Multifactor | 12
Trust
Trust is established with: veXng
token management pracGces
Applies equally to hard or soj tokens Either must be registered
Federated Shibboleth, OpenID, oAuth, and Multifactor | 13
RegistraGon
MulGfactor requires hardware token linking
phone keyfob
oAuth/Federated authenGcaGon good = vemed registraGon under supervision sufficient(?) = telephone/email communicaGon of idenGfier to be trusted
If nobody controls registraGon, neither can be trusted
Federated Shibboleth, OpenID, oAuth, and Multifactor | 20
Enrichment
RegistraGon of oAuth or FederaGon guest creates simple LDAP account
No password Allows for enrichment of addiGonal data including access enGtlements
Targeted enrichment creates a layer of trust ♦ Layer is thin but workable
Federated Shibboleth, OpenID, oAuth, and Multifactor | 23
For Future Pondering
With sufficient veXng, could a sojware token as a second factor authenGcaGon be acceptable? Plus points:
low budget hacking one account is easy, hacking two and knowing the linkage is not
NegaGves: duplicated passwords depends on free APIs with no service contract