TrustBearer's Brian Kelly gave this presentation during the Identity Management track at the Virginia Security Summit in Richmond, VA. It compares SAML to OpenID and explains how different authentication methods can be used with either of these Single Sign On standards.
08448380779 Call Girls In Friends Colony Women Seeking Men
Â
TrustBearer - Virginia Security Summit - Web Authentication Strategies - April 2009
1. Web Authentication
Strategies
Virginia Security Summit
Identity Management
April 27, 2009
Brian Kelly
Vice President
TrustBearer Labs
a partner company of VeriSign, Inc.
2. Simplify
Techniques and technology that can be
leveraged to make managing user accounts
easier and more secure
SAML
2
3. Know your users
Employees Citizens
⢠1,000+ ⢠100,000+
⢠Identity vetted ⢠Internet-based identity
⢠Bulk-provisioning ⢠On-the-ďŹy-provisioning
(with ofďŹcial email) (with Internet email)
⢠IT staff to handle ⢠Automated support
support requests requests
3
4. Identity vetting
⢠Employee identities are vetted in advance,
in-person
⢠Citizens may need vetting, depending on
services accessed, but in-person vetting is
rarely available
4
5. Account Provisioning
⢠Employees are typically assigned an email
address, network account, and temporary
password after hire.
⣠Then (some) applications are provisioned
⢠Citizens typically request an account after
proving their identity (e.g. driverâs license
number & date of birth)
⣠Then username & password are created,
and (one) application is provisioned.
5
6. Support
⢠Help desk staff to support employee
requests (e.g. password reset, new
application access)
⢠Citizen requests may be of much higher
volume, which require more automated
support options
6
8. Employee Web Apps
⢠Use a single SAML Identity Provider
Make web apps SAML consumers
⢠Provision all apps using SAML user IDs
⢠Employee authenticates in once place and
gets access to all provisioned applications
⢠Account support is centralized
⢠Can still use OTP, smart card, or password
(more on that later)
8
9. How does SAML work?
veriďŹes signed
assertions
User is logged-in
creates signed
App 1 to web app
Login Web Page
assertions
user
SAML ID App 2
user
Provider
user authenticates users App 3
Other SAML Service Providers
LDAP (consumers)
Auth.
9
10. Citizen Web Apps
⢠Make web apps OpenID Relying Parties and
stop managing usernames & passwords
⢠Use existing ID vetting process or
outsource
⢠Add an Extended Validation SSL certiďŹcate
⢠Citizen gets to reuse existing credentials
⢠Can still use OTP, smart card, or password
⢠Account support is partially outsourced
10
11. How does OpenID work?
Citizen Web App
Web app Citizen is logged-in
Page Login
veriďŹes previously to web app
user enrolled OpenID
Citizen
user Web App
OpenID
user Relying Party
(consumer)
Citizen identity vetting could
take place during OpenID
enrollment stage.
User authenticates to IDP and
enables account to be used
with government site
11
12. SAML
⢠Consumer focused
⢠Enterprise focused
⢠On-the-ďŹy-provisioning
⢠Bulk-provisioning
(on-the-ďŹy supported)
⢠Many identity providers
⢠Identity Provider is
available online for
internal to
consumers to choose
organization (typically)
⢠Mostly open-source,
⢠Commercial and OS
and COTS services
products available
12
14. End-point authentication is
agnostic of SSO standard
All can be supported by SAML or OpenID
⢠username / password
⢠one time password (OTP) tokens
⢠smart cards (e.g. PIV, CAC, FRAC)
⢠client digital certiďŹcates
⢠information cards
⢠biometrics
⢠image veriďŹcation
14
15. Identity Provider decides end-
point authentication options
⢠Google,Yahoo, AOL: password
⢠myOpenID: password, phone verify, client certiďŹcate, info card
⢠VeriSign PIP: OTP, client certiďŹcate, info card, EV SSL
⢠TrustBearer: smart cards (CAC, PIV, etc.), biometrics
⢠Vidoop: Image recognition (CAPTCHA)
The IdP can specify authentication methods used
to the RP, which can even request preferences.
15
18. Token Types Allowed At Each
Assurance Level
Level 1 Level 2 Level 3 Level 4
Token Type
â â â â
Hard Crypto Token
â â â
One-time password device
â â â
Soft crypto token
â â
Passwords & PINs
From NIST SP 800-63 p. 39
18
19. OpenID Provider Authentication
Policy Extension (PAPE)
⢠Provides a way for Relying Parties to
request / view authentication policies of
Identity Provider
⢠Policies: Phishing-resistant, Multi-Factor, and
Physical Multi-Factor
⢠Preferred authentication levels
e.g. NIST: 1, 2, 3, 4
SAML also allows authentication attributes
to be added to a message
19
20. In summary
⢠You have better options than managing
usernames & passwords for every web app
⢠SAML has strong enterprise support
⢠OpenID is convenient for Internet users
⢠There are many end-point authentication
options for each SSO option.
⢠Perform a risk-based analysis on your app
to choose an authentication type
20