Federated identity Flashcards
(13 cards)
Delegated vs. Federated ID
Delegated solution means that one site is simply outsourcing its authentication needs to another pre-selected site.
A federated solution means that visitors to your site can use any account they have, as long as it is compatible. It makes no difference to the site which account is being used, as long as it can interoperate. At its core, OpenID is a federated solution because its most important feature is the ability to use any OpenID account with any OpenID-enabled service.
What is SSO? And How can it be used?
Single Sign On (SSO).
Can be used in different ways.
1) A direct server based SSO = User –> Browser –> (multiple applications connected through HTTPS). Directory Server verifies back through LDAPS (active directory, database, other directory server)
2) Identity Federation SSO = User –> multiple applications/ service providers (SPn). IdP <–Trust relationship or SSO protocol–> SPn.
Pros and Con’s of SSO
Pros:
- Access logs – an SSO portal provides detail reporting on who accessed what
- Session time – by eliminating credential reauthentication users spend less time on the authentication process leading to improved productivity.
- Centralized database – one database that includes logs for authentication and authorization to support compliance and administration.
- Fewer credentials mean a lower chance of phishing – phishing emails and social engineering are nearly impossible
- Reduce help desk costs – reducing the number of credentials (passwords) translates to fewer help-desk calls which are estimated at 20 – 50% of all help desk calls.
Cons:
-Single set of credentials - keys to the kingdom [so one has to use MFA]
-Does not provide single sign off. Each application varies on sign off, thus opens risk for session hijacking.
-User still has to use different logins for sites (or use a pass manager)
-An employee/user with specific service login could still have access to this service after they leave company.
Federated Identity Vs. SSO
This is the important difference between SSO and Federated Identity –> While SSO allows a single authentication credential to access different systems within a single organization, a federated identity management system provides single access to multiple systems across different enterprises. In such a system, users do not provide credentials directly to a web application, only to the FIM system itself.
Federated Identity system weakness
Any Federated Identity system is based first and foremost on mutual trust. Each party using the federated identity credentials are essentially allowing all the other members to access information contained on, and track activities of the shared application.
If for some reason the metadata used to authenticate a user to the IDP was compromised, through unintended leaks, or more classical hacking methods such as phishing attacks, a criminal would be granted the same access to the federated identity provides to all other partners.
Identity Provider (IdP)
Technology system that creates, maintains, and manages identity information. In other words, an identity provider establishes users’ identities and the details that make up those identities. Ex) Google, Facebook, Apple, Microsoft Active Directory
SAML
Security Assertion Markup Language (SAML) is an open federation standard that allows an identity provider to authenticate users across domains on behalf of a service provider.
The nonprofit technology consortium OASIS developed SAML.
Authentication flow with OAuth protocol
- On login, Phoebe is redirected to the identity provider login page (authorization server) with a request for authorization. Phoebe logs in and effectively authorizes the service provider to act on her behalf.
- The service provider receives an authorization grant, which it forwards to the client.
- The client uses the authorization grant to request an access token from the identity provider.
- Provided that the authorization grant is valid, the identity provider grants an access token, which the client uses to request access to the service.
- The service provider receives the access token and it either sends the token to the identity provider for validation or verifies the token against the identity provider certificate, depending upon the type of the token. If the token is valid, the identity provider sends back user claims to the service provider.
- Phoebe is granted access to the service.
What does a user provisioning system do?
User provisioning is a means to gather, store, manage and distribute user information across multiple systems. Provisioning is bidirectional, outbound and inbound, meaning that user data can be either provisioned from a user provisioning system to other systems or gathered from other applications to the user provisioning system.
Its the person managing the “Guest list and invitations” for the party.
Authentication flow using an LDAP server.
- Harald logs in to M-Files to use a cloud vault.
- The M-Files client encrypts Harald’s credentials and sends them via M-Files Server to the LDAP server.
- The LDAP server receives the credentials and matches the user name with a corresponding one that it should have in store. If a match is found, it validates the credentials and returns them to M-Files Server.
- M-Files Server receives a confirmation about validated credentials and allows Harald to access the cloud vault.
What is WS-Federation?
Web Services Federation Language (WS-Federation) is an identity federation protocol that offers cross-domain authentication and authorization. It uses an approach based on WS-Trust, which is part of the Web Services Security set of standards, to offer a flexible identity federation architecture that can employ a number of different types of tokens for user authentication.
Authentication flow with WS-Federation.
- Laura wants to log in to M-Files.
- She is redirected from M-Files to the identity provider login page.
- Laura, if she hasn’t done so already, provides her user credentials to the identity provider and logs in.
- The identity provider authenticates Laura’s credentials to determine whether Laura is truly who she claims to be, and after successfully doing so, the identity provider sends a token to M-Files. The token includes user claims about Laura, which basically helps the service to determine what Laura is authorized to do once she’s logged in.
- M-Files receives the token from the identity provider and Laura is free to use M-Files once it has verified that the token is indeed authentic.
Solution compatibility between OAuth, LDAP, WS-Federation
OAuth - Azure AD, AD FS (since Windows Server 2012 R2), LDAP, PingFederate. Works with Desktop, Web, Admin, and Mobile
LDAP - AD FS, PingFederate. Works with Desktop and Web
WS-Federation - Azure AD, AD FS, PingFederate. Works with Desktop, Web, and AD FS
