Federated identity management (fidm) using security assertion markup language (saml)

WHAT IS IDM
Identity management (IDM) deals with
identifying individuals and controlling their access
to resources within a system by implementing user
rights and restrictions
http://www.ifour-consultancy.com Offshore software development company India

WHAT IS FIDM
Federated identity management (FIDM) is an
arrangement that can be made among multiple
enterprises that lets subscribers use the same
identification data to obtain access to the networks
of all enterprises in the group (identity
federation)

FIDM CONTINUED…
IDENTITY FEDERATION:
Linking a person's electronic identity and
attributes stored across multiple distinct IDMs.
SINGLE SIGN ON (SSO):
In this a user's single authentication ticket or
token is trusted across multiple IT systems or
organizations.

CIRCLE OF TRUST
 A circle of trust is a trust relationship among a set
of identity providers and service providers that allows a
Principal to use a single federated identity and single
sign-on when conducting business transactions with
providers within that set.
 Organizations affiliate together into circles of trust
based on federation technology and operational
agreements that define trust relationships between the
parties.

What is SAML
 In order for FIDM to be effective, the partners
must have a sense of mutual trust (circle of trust).
 SAML is an XML-based open standard data format
for exchanging authentication and authorization
data between parties, in particular, between an
identity provider and a service provider.

Exchange of SAML messages takes place between two
parties :Relying Party and Asserting Party.
 The Asserting Party asserts information about a
given subject. such as whether a subject has been
authenticated and is authorized to perform a
certain action.
 The Relying Party uses information provided by
the Asserting Party to make security-related
decisions .Such as what types of access to grant the
subject to a specific resource.

SAML Request & Response Cycle
 The relying party, which needs to
authenticate a specific client
request, sends a SAML request to
its issuing authority.
 The issuing authority responds
with a SAML assertion, which
supplies the relying party with the
requested security information.
 SAML does not specify the method
of authentication at the identity
provider; it may use a username
and password, or other form of
authentication, including multi-factor
authentication

Assertions in SAML
SAML defines three kinds of assertions about a subject:
 AUTHENTICATION ASSERTIONS: State that the
user has proven her identity by a particular method at
a specific time.
 ATTRIBUTE ASSERTIONS: Contain specific details
about the user such as an employee number or an
account number.
 AUTHORIZATION ASSERTIONS: State the resources
a user can access and under what conditions they can
be accessed.

ROLES in SAML
The SAML specification defines three roles:
 The principal (typically a user):Requests a service from
the service provider.
 Identity provider (idp): Service provider requests and obtains
an identity assertion from the identity provider.
 Service provider (sp):The service provider can make
an access control decision .It can decide whether to perform
some service for the connected principal based on assertion.

 Before delivering the identity assertion to the SP, the
IdP may request some information from the principal
in order to authenticate the principal E.g. user name
and password.
 In SAML, one identity provider may provide SAML
assertions to many service providers. Similarly, one SP
may rely on and trust assertions from many
independent IdPs.

Benefits of SAML
 Platform neutrality: SAML abstracts the security framework away from platform
architectures and vendor implementations., making security more independent of
application logic.
 Loose coupling of directories: SAML does not require user information to be
maintained and synchronized between directories.
 Improved online experience for end users: SAML enables single sign-on by
allowing users to authenticate at an identity provider and then access service
providers without additional authentication.
 Reduced administrative costs for service providers: Using SAML to 'reuse' a single
act of authentication multiple times across multiple services can reduce the cost
of maintaining account.
 Risk transference: SAML can act to push responsibility for proper management of
identities to the identity provider, which is more compatible with its business
model than that of a service provider.

SAML 1.0 & SAML 1.1
 SAML 1.0 defines two key concepts:
 a security token format, known as an assertion, which
associates a given identity with specific access rights.
A directory service, which allows users to login with a user
name and password, is a typical source of authentication
tokens (e.g. passwords) at an identity provider.
 profiles that describe ways to package these assertions to
provide single sign-on
SAML 1.1 updates SAML 1.0 with feedback &
corrections

Example
 IRCTC , Yatra.com and Makemytrip.com work on the
principle of FIDM
 Here user’s Electronic Identity is confirmed via one
time password sent by IRCTC
 Using the same Electronic Identity the users can sign
in to Yatra.com and Makemytrip.com

References
 Identity Federation concepts-White Paper(CSC)
 FIDM-Elisa Bertino
 www.irctc.com
 Symbiosis students
 Akansha Sharrma
 Kajal Kalpna Thomas
 Pragati Juneja
 Aadya Aditi

THANK YOU

Federated identity management (fidm) using security assertion markup language (saml)

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Mehr von Ajit Dadresa

Mehr von Ajit Dadresa (7)

Federated identity management (fidm) using security assertion markup language (saml)

Hinweis der Redaktion