OpenID & SAML, OpenID & SAML,

OpenID
OpenID & SAML
Identity SAML
&Identity
Federation, SuisseID
Federation, SuisseID
SingleAuthentication
Strong Sign
Single-Sign-on On Konzepte
-Strong
Concepts with Servicemit
Authentication
Future Service
Zukunft
&
Geneva Application Security Forum
2010
March 4th 2010
Robert Ott, Master of Science (Honors), CFO
Fredi Weideli, Master of Computer Science, CTO
Robert
clavid ag, Zug Ott
5180
- OpenID Representative Switzerland
- CFO, Clavid AG, Switzerland
Agenda
•SECTION 1 OpenID - What is it? How does it work?
Integration?

•SECTION 2 SAML - What is it? How does it work?

•SECTION 3 Identity Federation

•
•SECTION 4 A Word on SuisseID

•SECTION 5 Strong Authentication as a Service

•SECTION 6 Further Links / Conclusion / Q & A

G
e
n
e
SECTION 1

SECTION 1
OpenID
> What is it?
> How does it work?
> How to integrate?

G
e
n
e
 OpenID - What is it?

>Internet SingleSignOn >Free Choice of Identity Provider

>Relatively Simple Protocol >No License Fee
>User-Centric Identity Management >Independent of Identification Methods
>Internet Scalable >Non-Profit Organization

G
e
n
e
OpenID - How does it work?

User Hans Muster

(Domain: www.iid.ch)

AUTHENTICATION
Identity Provider
e.g. clavid.ch
hans.muster.iid.ch

Identity URL
OpenID=hans.muster.iid.ch e.g. hans.muster.iid.ch

Enabled Service

G
e
n
e
OpenID - How does it work?

User Hans Muster

4, 4a Identity Provider
e.g. clavid.com
hans.muster.clavid.com 5 6

1 2 Identity URL
Caption https://hans.muster.clavid.com
1. User enters OpenID
2. Discovery
3. Authentication
4. Approval
4a. Change Attributes
5. Send Attributes
6. Validation
Enabled Service

G
e
n
e
OpenID - How does it work?
Step 1: A user decides to use a personalized Internet Service supporting OpenID (e.g.
local.ch). The user clicks on „Login using OpenID“ and enters its OpenID (e.g.
hans.muster.iid.ch).
Step 2: The requested Internet Service converts the OpenID into an URL (
http://hans.muster.iid.ch) and requests this URL in order to receive the Identity
Provider of the user.
Step 2a: In this example, the user has delegated its OpenID to the Identity Provider
clavid.ch.
Step 3: The Identity Provider provides possible authentication methods for that specific
user (in this case “Password”). Having successfully authenticated, the next step
(approval ) is initiated .
Step 4: The user decides on the values of the requested attributes to be provided to the
Internet Service. The Identity Provider usually provides user specific Personas
(attribute templates ) to assist the user in this approval process .
Step 4a: At this point, the user may decide to change attribute values and store them on
the Identity Provider for future approvals for that specific service. Thus, a user can
automate future approvals for specific Internet Services.
Step 5, 6: The attribute values are then signed and communicated from the Identity Provider
to the Internet Service. The Internet Service validates the signature of the provided
attributes and finally accepts the user to be authenticated.

G
e
n
e
OpenID - How does it work?

G
e
n
e
OpenID - How does it work?

G
e
n
e
OpenID - User Centric Identity Management

TOMORROW
? FUTURE
TODAY ?
OpenID Provider Username
Username Password
Password

Username Username
Password Password

G
e
n
e
OpenID - How to Integrate?

Assumptions concerning your current Site

•Users sign in with their username and password
•There is a form, where new users have to register
•Each user is identified by a unique ID in your database
•A settings page let users manage their account info

Recipe
•Extend the database to map the OpenIDs to the user IDs
•Extend the registration page with an OpenID input field
•Extend the sign in page with an OpenID input field
•Extend the settings page to attach and detach openIDs

G
e
n
e
OpenID - How to Integrate?

Ingredients
•
•A OpenID Consumer Library
•
•
•The Standard OpenID Logos
•
•
•An OpenID Provider to test your site with

G
e
n
e
OpenID - How to Integrate?

OpenID Libraries
•Language Library
C# DotNetOpenId, ExtremeSwank
C++ Libopkele
Java NetMesh InfoGrid LID, OpenID4Java, joid

Perl Net::OpenID, OpenID4Perl

Python JanRain

Ruby JanRain, Heraldry

PHP Jan Rain, Zend Framework OpenID Component, Saeven.net's JanRain Service
Utility Class, Taral, Simple Class, sfOpenIDPlugin, CakePHP, EasyOpenID,
OpenID For PHP, AuthOpenID Snippet
Coldfusion CFKit OpenID, CFOpenID, OpenID CFC

Apache 2 mod_auth_openid

G
e
n
e
SECTION 2

SECTION 2
SAML
>What is it?
>How does it work?

G
e
n
e
SAML – What is it?

SAML (Security Assertion Markup Language ):

>Defined by the Oasis Group
>Well and Academically Designed Specification
>Uses XML Syntax
>Used for Authentication & Authorization
>SAML Assertions
>Statements: Authentication, Attribute, Authorization
>
>SAML Protocols
>Queries: Authentication, Artifact, Name Identifier Mapping, etc.
>
>SAML Bindings
>SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact
>
>SAML Profiles
>Web Browser SingleSignOn Profile, Identity Provider
Discovery Profile, Assertion Query / Request Profile, Attribute
Profile

G
e
n
e
SAML – How does it work?

User Hans Muster

AUTHENTICATION
Redirect with Identity Provider
< Response
Redirect >with
( signed Assertion )>
< AuthnRequest
e.g. clavid.ch
Access
Resource

Enabled Service

e.g. Google Apps

for Business

G
e
n
e
SAML – How does it work?

User Hans Muster

3
2
4 Identity Provider
e.g. clavid.ch

4
2
1
6

Enabled Service

e.g. Google Apps

for Business

G
e
n
e
SAML – How does it work?

Step 1: A user decides to use a personalized Internet Service connected to a SAML based
Identity provider (e.g. Google Business Application Calendar).
Step 2: The Internet Service recognizes that the user is not logged in yet. A SAML
<AuthnRequest> is created and sent via redirect to the Identity Provider.
Step 3: The Identity Provider provides possible authentication methods for that specific user (in
this case “YubiKey” OTP). Having successfully authenticated, the next step is initiated.
Step 4: The Identity Provider creates a SAML <Response> containing the user’s identifier for the
specific target application. Then it signs the SAML <Response> and sends it via a Post-
Redirect to the Internet Services (e.g. Google Calendar)
Step 5: The Internet Service (e.g. Google Apps) verifies the signature of the SAML <Response>
and now knows the user’s identifier provided by the Identity Provider.
Step 6: The Internet Service can now be used by the user.

G
e
n
e
 SAML – How does it work?
1) Call Application URL

3) Application Usage
2) Login

G
e
n
e
SECTION 3

SECTION 3
Identity Federation

G
e
n
e
B2B Identity Federation - The Protocol Problem
Company A
Internet Service A
Intranet
Travel
https Proprietary Token Ticket Shop

Internet Service
OpenID B
Document
Management

SAML 1.0 Internet Service C

Personal
Recruting

SAML 2.0 SaaS Applications

G
e
n
e
B2B Identity Federation - The Protocol Mess
Company A
Internet Service A
Intranet Proprietary Token
OpenID Travel
Ticket Shop
SAML 1.0
https

SAML 2.0 Internet Service

B
Company B Document
Management
Intranet Proprietary Token
OpenID Internet Service C
SAML 1.0
Personal
https

SAML 2.0 Recruting

Company C
SaaS Applications
Intranet Proprietary Token
OpenID
SAML 1.0
https

SAML 2.0

G
e
n
e
B2B Identity Federation - The Protocol Solution
Company A
Internet Service A
Intranet
Travel
https Ticket Shop

Internet Identity Internet Service

Provider Proprietary Token B
Company B Proprietary Token Document
Identity Mapping Management
Intranet
OpenID
Internet Service C

Internet SSO
Biometric (AXSioncs)

Mobile Phone (SMS)

OpenID
eID (Identity Card)
SAML 1.0 Personal

One Time Passw.

https

SSL Certificates
Recruting

Internet SSO
Company C
SAML 2.0 (OTP) SAML 2.0 SaaS Applications
Intranet
https
https

G
e
n
e
B2B Identity Federation - The Protocol Solution

Company A Company B
Intranet Intranet

https
https

Internet Identity
Provider
Proprietary Token SAML 1.0 Company C
Internet SSO Identity Federation Intranet

Internet SSO
Biometric (AXSioncs)

Mobile Phone (SMS)

SAML 2.0
eID (Identity Card)

One Time Passw.

https
SSL Certificates

(OTP)
https

https

G
e
n
e
SECTION 4

SECTION 4
A Word on SuisseID

G
e
n
e
A Word On SuisseID

•SuisseID is currently in Early Draft Specification Phase

•SuisseID should be available for public in spring 2010
•SuisseID cost will be refunded by the Government in 2010
•SuisseID will most probably be:
–A signature certificate
–An authentication certificate
–All certificates conform to ZertES
–Certificates contain a unique SuisseID number
–An Identity Provider Services for attribute exchange
•
•Eligible SuisseID certificate service providers will be:
–Swiss Post (SwissSign), Swisscom, QuiVadis, Swiss Government

G
e
n
e
A Word On SuisseID

G
e
n
e
SECTION 5

SECTION 5
Strong Authentication as a Service

G
e
n
e
OpenID - International Identity Providers

Username/Password
Certificates

Biometric

OTP

G
e
n
e
Clavid Portal for Strong Authentication

G
e
n
e
Clavid Portal - AXSionics

G
e
n
e
Clavid Portal - Yubikey

G
e
n
e
Clavid Portal - Certificates

G
e
n
e
Clavid Portal - One Time Password

OTP Methods:
• OATH HOTP (RFC4226)
• Challenge/Response (RFC2289)
• Mobile OTP (OpenSource Project)
• SMS
• ... others ...

G
e
n
e
Clavid Portal - Personas

G
e
n
e
Clavid Portal - Login Settings

G
e
n
e
Clavid Login Dialog

G
e
n
e
SECTION 6

SECTION 6
Conclusion
>Further References
>Questions & Answers
>Contact Information

G
e
n
e
Further Links: on OpenID

OpenID Identity Providers can be found at:

>
>http://en.wikipedia.org/wiki/OpenID
>

>http://en.wikipedia.org/wiki/List_of_OpenID_providers
>

>http://www.openiddirectory.com/openid-providers-c-1.html
>

>http://www.clavid.com/ (Strong Authentication in

Europe)
>
>

G
e
n
e
Conclusion

>OpenID: An open, well documented specification allowing

Internet Single Sign-On (SSO) for individual “Public Services”
(B2C)
>
>SAML: Trust based Internet and Intranet Single Sign-On for
Business Services (B2B)
>
>Professional Identity Providers already in place
>
>User Centric Identity Management already integrated
>
>Join OpenID Switzerland in order to increase the OpenID
momentum

>Enable your Internet Services to support OpenID or SAML !!!

G
e
n
e
Demo

>SAML-Login to Google Business Apps using

AXSionics Fingerprint
>
>
>SAML-Login to Salesforce.com using YubiKey
OTP
>
>
>OpenID login to local.ch using Swiss
PostZertifikat
>
>
>Online Identity Administration (Clavid
Portal)
>
>

G
e
n
e
Questions & Answers

G
e
n
e
Contact Information

G
e
n
e