Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


CIS2054 - Federated Identity Management

No description

Chris Porter

on 2 May 2017

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of CIS2054 - Federated Identity Management

Entities in Malta
Federated Identities
IEEE Xplore
Online Journals
Graduate Research
Post-grad Research
Libraries and Journals
Graduate Research
Restricted Resources
Industry level
Academic Knowledge
Specialized Equipment
Institution A
Institution B
Institution N
Student S from MCAST wants to use resource R at UoM...
What happens?
A) Nothing.
B) MCAST (government) buys R for S to use
C) S goes to uni and asks for a user account to access R (possible?)
D) S bribes/pleads with someone and gets access (possible!)
Can't we share specialized resources?
Can we join resources so that 1+1 = 3?
What do we do?
A) Build a big common room and store all the resources in them
B) Build a new common campus
C) Buy a truck and get a driver who would move stuff to and fro as required
D) Create an identity federation
Let's start off with an example
IP Geolocation
Federated IdM
1st Attempt to get resource R
2nd Attempt to get resource R
Centralised IdM vs Federated IdM
Have you ever used IEEEXplore?
Obtaining resource R
Checks IP against institutional IP ranges
Why Federate?
What makes up a Federation?
Who Federates?
Less overhead
Wider reach
Sharing assertions and not identifying information
Less identities
Manage less passwords
Acess to restricted resources from institutions in the circle of trust
Manage only internal identities
Enhanced Security
If student S leaves UoM, and is removed from eSIMS, then he/she cannot access MCAST anymore.
No need to scale up if federation grows
Amount of federation users won't affect entity's backend capacity, everyone will be stored and managed in his/her own institution
Date of Birth
Are you over 18?
Username and Password
Yes, he can log-in!
Single Sign-On as well as Single Sign-Out on Internet/Intranet
Large Industries
Major Online Sites
At first...
... such as (e.g.) Airbus and Michelin
Now ...
To reduce cognitive workload

To encourage user sign-ups

To increase security

Have you heard of cross-border eID and STORK?
No redundant information exists at MCAST
Cross-border recognition of nationally issued digital signatures for security of data exchange requires interoperability at legal, operational and technical levels. The framework for a European Federated Validation Service will provide a necessary tool for the establishment of Trust between different issuers of certificates and for the technical validation of eSignatures.
Inter-EU State eID validity
a) Selective disclosure
b) With user consent
c) Sharing entitlements and auth
Faster Integration for Resource Sharing
Used widely in the US and EU
UK Access Management Federation
UK Academic community moving towards a federated approach
IdPs - Identity Providers
SPs - Service Providers
Some Screenshots
- E.g. Library
- Lab Access (IT Services Profile)
- Course Material on VLE
- Live@Edu (MCAST)
Resources which can be shared by UoM include:
- Online Journal Subscriptions at the Library
- ITS terminals
- MSDNAA Subscriptions

Interesting research on this topic:
- Extending CampusLink to make use of new tokens (e.g.Yubikey and NFC)
- Automated Policy mapping between institutions
- E.g. IT Services (UoM)
- Using any backend technology
(AD, LDAP, SQL Server, OpenID)
E.g. Students, Academics
- E.g. Rich Policy Environment
- Security Policies
- Privacy Policies
- Data Release Policies
St. Martins IdP
UOM IdP and SP
CampusLink Federation
SAML assertions contains auth information about:
- a student, a lecturer or even the whole organization.

Assertion sent to the service provider which in turn makes use of the information appropriately.

Assertions are a core component within a federation
- relevant identity attributes are shared across entities,
- Not identifying information (respecting privacy and keeping redundancy of identity-related information in check)
Signed SAML Assertions
Example: This is a student from UOM who has been authenticated through a user name and password
IdP Initiated
In SP Initiated the WAYF question is required.
Can be answered:
Manually: Recall the IEEEXplore Institution Selection
Automatically: Using institution issued Smart Card
How can these be applied?
E.g. Service Provider Initiated Protocol using HTTP Redirect Binding (using POST as in IEEEXplore)

Different Binding techniques exist
Global Policies
Local Policies
Local Policies
Local Policies
1. SAML Request
2. Signed SAML Response
Some notes on IdM
- Will start to face new IdM practices and issues in many established domains
- Will introduce (simplified) aspects of new IdM techniques
- Will not explore issues behind ID and IdM issues
Before we start...
Various technologies/techniques/standards to achieve ID federation
SAML (by OASIS Security Service Technical Committee)
Information Card Metaphor
OpenID (OpenID Foundation)
- CardSpace - Microsoft (.Net 3+) ~ XP onwards
... as part of the MS Identity Metasystem (started off by MS Passport)
- Lessons outlined by Kim Cameron
- Higgins Project (open source)
- DigitalMe (Bandit project)
Probably you already have an OpenID which you can use in OpenID enabled sites
E.g. If you have a Google, PayPal, Yahoo or Blogger account amongst others...
- Open, XML oriented standard enabling 2+ security domains to discuss Authorization AND Authentication facts for a given entity
... across security domains (IdP and SP i.e. RP).
- Gives a lot of flexibility in terms of federation configuration (i.e. participants) and allows for full-adherence to the 7-laws of ID
- 1B+ OpenIDs
- Allows decentralized authentication processes and information sharing
SAML - why?
- Open
- Highly configurable
- Allows for signed requests and response (X.509)
- Allows for several binding mechanisms (not just HTTP)
- Particularly useful in multi-channel system
SFIMME - 2008 used GSM as an out of band authentication mechanism
Liberty Identity Federation (ID-FF) by Liberty Alliance
In 2003 Liberty started working with OASIS
- De-facto standard for IDF
- IEEEXplore is working to integrate
with Athens (Eduserve and NHS in the UK)
... + 90 countries
... ~ 4.5 million users
... uses SAML
- Used to offer off-campus access to library resources
- Can we create new SAML Profiles (for GSM-based services?)
- i.e. For out-of-band or multichannel service provision and authentication?
- SP with n identities for entity E from n IdPs (can we identify and merge?)
- Users tend to forget which IdP they used to sign-up (i.e. emerging WAYF problem)
That's all folks!
Chris Porter
University of Malta
Any mechanism, depending on LoA required
and set policies across the federation
Evaluation of FID
- Enhanced privacy (no redundat identifying info)
- Less cognitive workload (less profiles to manage, except for a few trusted IdPs
- Users decide (or policy enforces) the usage of a specific IdP depending on scenario
... e.g. Social Network IdP for blogging, but PayPal for eCommerce sites
- eGovernment? What IdPs could exist? RealID in the US and many new IdPs in the UK)
- Faster take-up and conversions of visitors to registered users. No need to re-register!
Students use their existing Identity at their own IdP
- SSO is now possible across the Federation. Logged in at UoM, the seamless access to IEEEXplore
MCAST resources, St.Martins resources and so forth.
- Improved usability.
- Users understand the WAYF question (in a physical world)
- Users are already familiar with Home ID Provider's challenge/response UI
A case with CampusLink (work conducted by Braden Borg and myself)
OAuth 2.0
Main emphasis is on authorization (granting permissions across domains), however adopts authentication techniques as well (e.g. used at FB)
But OAuth is also good in many scenarios. Discussion here https://www.mutuallyhuman.com/blog/2013/05/09/choosing-an-sso-strategy-saml-vs-oauth2/
Full transcript