SlideShare ist ein Scribd-Unternehmen logo

TrustBearer - Virginia Security Summit - Web Authentication Strategies - April 2009

•
•
TrustBearer
TrustBearer

TrustBearer's Brian Kelly gave this presentation during the Identity Management track at the Virginia Security Summit in Richmond, VA. It compares SAML to OpenID and explains how different authentication methods can be used with either of these Single Sign On standards.

Technologie
1 von 21
Web Authentication Strategies Virginia Security Summit Identity Management April 27, 2009 Brian Kelly Vice President TrustBearer Labs a partner company of VeriSign, Inc.
Simplify Techniques and technology that can be leveraged to make managing user accounts easier and more secure SAML 2
Know your users Employees Citizens • 1,000+ • 100,000+ • Identity vetted • Internet-based identity • Bulk-provisioning • On-the-fly-provisioning (with official email) (with Internet email) • IT staff to handle • Automated support support requests requests 3
Identity vetting • Employee identities are vetted in advance, in-person • Citizens may need vetting, depending on services accessed, but in-person vetting is rarely available 4
Account Provisioning • Employees are typically assigned an email address, network account, and temporary password after hire. ‣ Then (some) applications are provisioned • Citizens typically request an account after proving their identity (e.g. driver’s license number & date of birth) ‣ Then username & password are created, and (one) application is provisioned. 5
Support • Help desk staff to support employee requests (e.g. password reset, new application access) • Citizen requests may be of much higher volume, which require more automated support options 6
Making it easier 7
Employee Web Apps • Use a single SAML Identity Provider Make web apps SAML consumers • Provision all apps using SAML user IDs • Employee authenticates in once place and gets access to all provisioned applications • Account support is centralized • Can still use OTP, smart card, or password (more on that later) 8
How does SAML work? veries signed assertions User is logged-in creates signed App 1 to web app Login Web Page assertions user SAML ID App 2 user Provider user authenticates users App 3 Other SAML Service Providers LDAP (consumers) Auth. 9
Citizen Web Apps • Make web apps OpenID Relying Parties and stop managing usernames & passwords • Use existing ID vetting process or outsource • Add an Extended Validation SSL certificate • Citizen gets to reuse existing credentials • Can still use OTP, smart card, or password • Account support is partially outsourced 10
How does OpenID work? Citizen Web App Web app Citizen is logged-in Page Login veries previously to web app user enrolled OpenID Citizen user Web App OpenID user Relying Party (consumer) Citizen identity vetting could take place during OpenID enrollment stage. User authenticates to IDP and enables account to be used with government site 11
SAML • Consumer focused • Enterprise focused • On-the-fly-provisioning • Bulk-provisioning (on-the-fly supported) • Many identity providers • Identity Provider is available online for internal to consumers to choose organization (typically) • Mostly open-source, • Commercial and OS and COTS services products available 12
What about authentication options? 13
End-point authentication is agnostic of SSO standard All can be supported by SAML or OpenID • username / password • one time password (OTP) tokens • smart cards (e.g. PIV, CAC, FRAC) • client digital certificates • information cards • biometrics • image verification 14
Identity Provider decides end- point authentication options • Google,Yahoo, AOL: password • myOpenID: password, phone verify, client certificate, info card • VeriSign PIP: OTP, client certificate, info card, EV SSL • TrustBearer: smart cards (CAC, PIV, etc.), biometrics • Vidoop: Image recognition (CAPTCHA) The IdP can specify authentication methods used to the RP, which can even request preferences. 15
What authentication method to choose? 16
Required Protections for OMB’s E-Auth Assurance Levels Level 1 Level 2 Level 3 Level 4 Protect against ✓ ✓ ✓ ✓ On-line guessing Replay ✓ ✓ ✓ ✓ Eavesdropper ✓ ✓ ✓ Verifier impersonation ✓ ✓ ✓ Man-in-the-middle ✓ ✓ Session hijacking ✓ From NIST SP 800-63 p. 39 17
Token Types Allowed At Each Assurance Level Level 1 Level 2 Level 3 Level 4 Token Type ✓ ✓ ✓ ✓ Hard Crypto Token ✓ ✓ ✓ One-time password device ✓ ✓ ✓ Soft crypto token ✓ ✓ Passwords & PINs From NIST SP 800-63 p. 39 18
OpenID Provider Authentication Policy Extension (PAPE) • Provides a way for Relying Parties to request / view authentication policies of Identity Provider • Policies: Phishing-resistant, Multi-Factor, and Physical Multi-Factor • Preferred authentication levels e.g. NIST: 1, 2, 3, 4 SAML also allows authentication attributes to be added to a message 19
In summary • You have better options than managing usernames & passwords for every web app • SAML has strong enterprise support • OpenID is convenient for Internet users • There are many end-point authentication options for each SSO option. • Perform a risk-based analysis on your app to choose an authentication type 20
Thank you http://trustbearer.com http://www.verisign.com/authentication/ Brian Kelly brian.kelly@trustbearer.com twitter.com/TrustBearer Vice President TrustBearer Labs a partner company of VeriSign, Inc.

Empfohlen

TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer
 
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3Agile Set, LLC
 
Mobile Cloud Identity
Mobile Cloud IdentityMobile Cloud Identity
Mobile Cloud IdentityMark Diodati
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideNick Owen
 
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingOKsystem
 
Authentication.Next
Authentication.NextAuthentication.Next
Authentication.NextMark Diodati
 
今更聞けない電子認証入門 - OAuth 2.0/OIDCからFIDOまで -
今更聞けない電子認証入門 - OAuth 2.0/OIDCからFIDOまで -今更聞けない電子認証入門 - OAuth 2.0/OIDCからFIDOまで -
今更聞けない電子認証入門 - OAuth 2.0/OIDCからFIDOまで -Naoto Miyachi
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 

Empfohlen

TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer
 
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3Agile Set, LLC
 
Mobile Cloud Identity
Mobile Cloud IdentityMobile Cloud Identity
Mobile Cloud IdentityMark Diodati
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideNick Owen
 
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingOKsystem
 
Authentication.Next
Authentication.NextAuthentication.Next
Authentication.NextMark Diodati
 
今更聞けない電子認証入門 - OAuth 2.0/OIDCからFIDOまで -
今更聞けない電子認証入門 - OAuth 2.0/OIDCからFIDOまで -今更聞けない電子認証入門 - OAuth 2.0/OIDCからFIDOまで -
今更聞けない電子認証入門 - OAuth 2.0/OIDCからFIDOまで -Naoto Miyachi
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Securing online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsSecuring online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsOlivier PotonniĂŠe
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card AuthenticationDan Usher
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_faHai Nguyen
 
LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望FIDO Alliance
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
 
Identity and Access Management Provider
Identity and Access Management ProviderIdentity and Access Management Provider
Identity and Access Management ProviderPriyanka Agarwal
 
Sign in with Apple
Sign in with Apple Sign in with Apple
Sign in with Apple Nov Matake
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
US Security for Cyber Security
US Security for Cyber SecurityUS Security for Cyber Security
US Security for Cyber SecurityArtanContracting
 
Implementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 PresentationImplementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 PresentationJustin Richer
 
Going beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much moreGoing beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much moreindragantiSaiHiranma
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]Hai Nguyen
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security KeysFIDO Alliance
 
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity ServerWSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity ServerWSO2
 
エンタープライズの視点からFIDOとFederationのビジネスを考える
エンタープライズの視点からFIDOとFederationのビジネスを考えるエンタープライズの視点からFIDOとFederationのビジネスを考える
エンタープライズの視点からFIDOとFederationのビジネスを考えるMasaru Kurahayashi
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationFIDO Alliance
 
Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011Sylvain Maret
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
 

Weitere ähnliche Inhalte

Was ist angesagt?

Securing online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsSecuring online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsOlivier PotonniĂŠe
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card AuthenticationDan Usher
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_faHai Nguyen
 
LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望FIDO Alliance
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
 
Identity and Access Management Provider
Identity and Access Management ProviderIdentity and Access Management Provider
Identity and Access Management ProviderPriyanka Agarwal
 
Sign in with Apple
Sign in with Apple Sign in with Apple
Sign in with Apple Nov Matake
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
US Security for Cyber Security
US Security for Cyber SecurityUS Security for Cyber Security
US Security for Cyber SecurityArtanContracting
 
Implementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 PresentationImplementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 PresentationJustin Richer
 
Going beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much moreGoing beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much moreindragantiSaiHiranma
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]Hai Nguyen
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security KeysFIDO Alliance
 
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity ServerWSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity ServerWSO2
 
エンタープライズの視点からFIDOとFederationのビジネスを考える
エンタープライズの視点からFIDOとFederationのビジネスを考えるエンタープライズの視点からFIDOとFederationのビジネスを考える
エンタープライズの視点からFIDOとFederationのビジネスを考えるMasaru Kurahayashi
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationFIDO Alliance
 

Was ist angesagt? (20)

Securing online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsSecuring online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applications
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailar
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card Authentication
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_fa
 
LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
 
Identity and Access Management Provider
Identity and Access Management ProviderIdentity and Access Management Provider
Identity and Access Management Provider
 
Sign in with Apple
Sign in with Apple Sign in with Apple
Sign in with Apple
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
 
US Security for Cyber Security
US Security for Cyber SecurityUS Security for Cyber Security
US Security for Cyber Security
 
Implementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 PresentationImplementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 Presentation
 
Going beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much moreGoing beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much more
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
 
2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security Keys
 
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity ServerWSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
 
エンタープライズの視点からFIDOとFederationのビジネスを考える
エンタープライズの視点からFIDOとFederationのビジネスを考えるエンタープライズの視点からFIDOとFederationのビジネスを考える
エンタープライズの視点からFIDOとFederationのビジネスを考える
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
 

Andere mochten auch

Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011Sylvain Maret
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
 
Strong Authentication in Web Applications: State of the Art 2011
Strong Authentication in Web Applications: State of the Art 2011Strong Authentication in Web Applications: State of the Art 2011
Strong Authentication in Web Applications: State of the Art 2011Sylvain Maret
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorizationAlexandru Pasaila
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationSylvain Maret
 
Web authentication
Web authenticationWeb authentication
Web authenticationPradeep J V
 
The wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign OnThe wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign OnClĂŠment OUDOT
 
[JDLL 2016] OpenID Connect et FranceConnect
[JDLL 2016] OpenID Connect et FranceConnect[JDLL 2016] OpenID Connect et FranceConnect
[JDLL 2016] OpenID Connect et FranceConnectClĂŠment OUDOT
 
Pmbok 4th edition chapter 11 - Project Risk Management
Pmbok 4th edition chapter 11 - Project Risk ManagementPmbok 4th edition chapter 11 - Project Risk Management
Pmbok 4th edition chapter 11 - Project Risk ManagementAhmad Maharma, PMP,RMP
 
PMP Training - 11 project risk management
PMP Training - 11 project risk managementPMP Training - 11 project risk management
PMP Training - 11 project risk managementejlp12
 
Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Goutama Bachtiar
 
The Purpose And Goals Of Risk Management
The Purpose And Goals Of Risk ManagementThe Purpose And Goals Of Risk Management
The Purpose And Goals Of Risk ManagementLisa Shannon, RN, BSN, JD.
 
Project Risk Management - PMBOK5
Project Risk Management - PMBOK5Project Risk Management - PMBOK5
Project Risk Management - PMBOK5pankajsh10
 
Risk Management Framework
Risk Management FrameworkRisk Management Framework
Risk Management FrameworkAnand Subramaniam
 

Andere mochten auch (15)

Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSS
 
Strong Authentication in Web Applications: State of the Art 2011
Strong Authentication in Web Applications: State of the Art 2011Strong Authentication in Web Applications: State of the Art 2011
Strong Authentication in Web Applications: State of the Art 2011
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorization
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
 
Web authentication
Web authenticationWeb authentication
Web authentication
 
The wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign OnThe wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign On
 
SSL TSL;& SET
SSL TSL;& SETSSL TSL;& SET
SSL TSL;& SET
 
[JDLL 2016] OpenID Connect et FranceConnect
[JDLL 2016] OpenID Connect et FranceConnect[JDLL 2016] OpenID Connect et FranceConnect
[JDLL 2016] OpenID Connect et FranceConnect
 
Pmbok 4th edition chapter 11 - Project Risk Management
Pmbok 4th edition chapter 11 - Project Risk ManagementPmbok 4th edition chapter 11 - Project Risk Management
Pmbok 4th edition chapter 11 - Project Risk Management
 
PMP Training - 11 project risk management
PMP Training - 11 project risk managementPMP Training - 11 project risk management
PMP Training - 11 project risk management
 
Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009
 
The Purpose And Goals Of Risk Management
The Purpose And Goals Of Risk ManagementThe Purpose And Goals Of Risk Management
The Purpose And Goals Of Risk Management
 
Project Risk Management - PMBOK5
Project Risk Management - PMBOK5Project Risk Management - PMBOK5
Project Risk Management - PMBOK5
 
Risk Management Framework
Risk Management FrameworkRisk Management Framework
Risk Management Framework
 

Ähnlich wie TrustBearer - Virginia Security Summit - Web Authentication Strategies - April 2009

Protecting Online Identities - MIX09
Protecting Online Identities - MIX09Protecting Online Identities - MIX09
Protecting Online Identities - MIX09Jorgen Thelin
 
Protecting Online Identities
Protecting Online IdentitiesProtecting Online Identities
Protecting Online Identitiesgoodfriday
 
Protecting Online Identities
Protecting Online IdentitiesProtecting Online Identities
Protecting Online Identitiesgoodfriday
 
kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...Sagara Gunathunga
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices SecurityBertrand Carlier
 
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...WSO2
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMhackingtrialpay
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...apidays
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldKatherine Cola
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutionsfrontone
 
User Authentication for Government
User Authentication for GovernmentUser Authentication for Government
User Authentication for GovernmentCarahsoft
 
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Amazon Web Services
 
Securing Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudSecuring Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudVMware Tanzu
 
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other WorldsCIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other WorldsCloudIDSummit
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingPing Identity
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesIntuit Developer
 
The Case For Next Generation IAM
The Case For Next Generation IAM The Case For Next Generation IAM
The Case For Next Generation IAM Patrick Harding
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaicationSean Xiong
 

Ähnlich wie TrustBearer - Virginia Security Summit - Web Authentication Strategies - April 2009 (20)

Protecting Online Identities - MIX09
Protecting Online Identities - MIX09Protecting Online Identities - MIX09
Protecting Online Identities - MIX09
 
Protecting Online Identities
Protecting Online IdentitiesProtecting Online Identities
Protecting Online Identities
 
Protecting Online Identities
Protecting Online IdentitiesProtecting Online Identities
Protecting Online Identities
 
kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices Security
 
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACM
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud World
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutions
 
User Authentication for Government
User Authentication for GovernmentUser Authentication for Government
User Authentication for Government
 
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
 
Securing Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudSecuring Microservices in Hybrid Cloud
Securing Microservices in Hybrid Cloud
 
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other WorldsCIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick Harding
 
Ib final project
Ib final projectIb final project
Ib final project
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST Services
 
The Case For Next Generation IAM
The Case For Next Generation IAM The Case For Next Generation IAM
The Case For Next Generation IAM
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaication
 

KĂźrzlich hochgeladen

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

KĂźrzlich hochgeladen (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

TrustBearer - Virginia Security Summit - Web Authentication Strategies - April 2009

  • 1. Web Authentication Strategies Virginia Security Summit Identity Management April 27, 2009 Brian Kelly Vice President TrustBearer Labs a partner company of VeriSign, Inc.
  • 2. Simplify Techniques and technology that can be leveraged to make managing user accounts easier and more secure SAML 2
  • 3. Know your users Employees Citizens • 1,000+ • 100,000+ • Identity vetted • Internet-based identity • Bulk-provisioning • On-the-fly-provisioning (with ofcial email) (with Internet email) • IT staff to handle • Automated support support requests requests 3
  • 4. Identity vetting • Employee identities are vetted in advance, in-person • Citizens may need vetting, depending on services accessed, but in-person vetting is rarely available 4
  • 5. Account Provisioning • Employees are typically assigned an email address, network account, and temporary password after hire. ‣ Then (some) applications are provisioned • Citizens typically request an account after proving their identity (e.g. driver’s license number & date of birth) ‣ Then username & password are created, and (one) application is provisioned. 5
  • 6. Support • Help desk staff to support employee requests (e.g. password reset, new application access) • Citizen requests may be of much higher volume, which require more automated support options 6
  • 8. Employee Web Apps • Use a single SAML Identity Provider Make web apps SAML consumers • Provision all apps using SAML user IDs • Employee authenticates in once place and gets access to all provisioned applications • Account support is centralized • Can still use OTP, smart card, or password (more on that later) 8
  • 9. How does SAML work? veries signed assertions User is logged-in creates signed App 1 to web app Login Web Page assertions user SAML ID App 2 user Provider user authenticates users App 3 Other SAML Service Providers LDAP (consumers) Auth. 9
  • 10. Citizen Web Apps • Make web apps OpenID Relying Parties and stop managing usernames & passwords • Use existing ID vetting process or outsource • Add an Extended Validation SSL certicate • Citizen gets to reuse existing credentials • Can still use OTP, smart card, or password • Account support is partially outsourced 10
  • 11. How does OpenID work? Citizen Web App Web app Citizen is logged-in Page Login veries previously to web app user enrolled OpenID Citizen user Web App OpenID user Relying Party (consumer) Citizen identity vetting could take place during OpenID enrollment stage. User authenticates to IDP and enables account to be used with government site 11
  • 12. SAML • Consumer focused • Enterprise focused • On-the-fly-provisioning • Bulk-provisioning (on-the-fly supported) • Many identity providers • Identity Provider is available online for internal to consumers to choose organization (typically) • Mostly open-source, • Commercial and OS and COTS services products available 12
  • 14. End-point authentication is agnostic of SSO standard All can be supported by SAML or OpenID • username / password • one time password (OTP) tokens • smart cards (e.g. PIV, CAC, FRAC) • client digital certicates • information cards • biometrics • image verication 14
  • 15. Identity Provider decides end- point authentication options • Google,Yahoo, AOL: password • myOpenID: password, phone verify, client certicate, info card • VeriSign PIP: OTP, client certicate, info card, EV SSL • TrustBearer: smart cards (CAC, PIV, etc.), biometrics • Vidoop: Image recognition (CAPTCHA) The IdP can specify authentication methods used to the RP, which can even request preferences. 15
  • 17. Required Protections for OMB’s E-Auth Assurance Levels Level 1 Level 2 Level 3 Level 4 Protect against ✓ ✓ ✓ ✓ On-line guessing Replay ✓ ✓ ✓ ✓ Eavesdropper ✓ ✓ ✓ Verier impersonation ✓ ✓ ✓ Man-in-the-middle ✓ ✓ Session hijacking ✓ From NIST SP 800-63 p. 39 17
  • 18. Token Types Allowed At Each Assurance Level Level 1 Level 2 Level 3 Level 4 Token Type ✓ ✓ ✓ ✓ Hard Crypto Token ✓ ✓ ✓ One-time password device ✓ ✓ ✓ Soft crypto token ✓ ✓ Passwords & PINs From NIST SP 800-63 p. 39 18
  • 19. OpenID Provider Authentication Policy Extension (PAPE) • Provides a way for Relying Parties to request / view authentication policies of Identity Provider • Policies: Phishing-resistant, Multi-Factor, and Physical Multi-Factor • Preferred authentication levels e.g. NIST: 1, 2, 3, 4 SAML also allows authentication attributes to be added to a message 19
  • 20. In summary • You have better options than managing usernames & passwords for every web app • SAML has strong enterprise support • OpenID is convenient for Internet users • There are many end-point authentication options for each SSO option. • Perform a risk-based analysis on your app to choose an authentication type 20
  • 21. Thank you http://trustbearer.com http://www.verisign.com/authentication/ Brian Kelly brian.kelly@trustbearer.com twitter.com/TrustBearer Vice President TrustBearer Labs a partner company of VeriSign, Inc.