federated identity providers identity providers.pdf4 simo sorce – devconf.cz trusting a...
TRANSCRIPT
![Page 1: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/1.jpg)
Federated Identity Providersand the Ipsilon project
Simo SorceSr. Princ. Sw. Engineer, Red Hat2015/02/06
![Page 2: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/2.jpg)
2 Simo Sorce – DevConf.cz
What is Federation ?
In a nutshell:
Dealing with users that you do not control on your own.
To do that you need to trust a third party
![Page 3: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/3.jpg)
3 Simo Sorce – DevConf.cz
Trusting a third party
An organization wants to offer services to another which “owns” the users identities.● User's org controls what is disclosed about the user● User does not need to know additional credentials● Third party does not need full view of the users store
foogle.omgredcat.omg
user?
![Page 4: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/4.jpg)
4 Simo Sorce – DevConf.cz
Trusting a third-third party
Federation is also used when another party need access to data on the user's behalf.● Also know as delegation.● The third party only get access to specific user data● The user/org. is in control of the permissions granted
redcat.omg slurpIn.omg
mydata.omguser
? user'sdata
![Page 5: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/5.jpg)
5 Simo Sorce – DevConf.cz
Not Federation
Surrendering credentials is not federation.● User's org. has no control, breach of privacy.● User has no control on what the 3rd party will actually do with the
credentials.● 3rd party has liabilities it shouldn't want.● No Single-sign-on.
slurpIn.omguser
foogle.omg
user'scontacts
[email protected]+ password
[email protected]+ password
![Page 6: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/6.jpg)
6 Simo Sorce – DevConf.cz
Federation protocols
Most federation protocols are web/HTTP oriented● Some authentication flows depend on a user sitting in
front of a browser● Non-interactive modes are available in some cases● Delegation modes are non interactive (but may depend
on interactive modes for setting up the delegation)
To name a few:● SAML, OpenId, OpenId Connect, Persona, ...
![Page 7: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/7.jpg)
7Simo Sorce – DevConf.cz
How does it work ?
![Page 8: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/8.jpg)
8 Simo Sorce – DevConf.cz
Glossary
Identity Provider● Server that authenticate users● Or provides enough data to verify an authentication
assertion
Service Provider / Relaying Party● Server that needs authentication by a third party Identity
Provider● The system the user is trying to access
(directly or indirectly like in the delegation case)
![Page 9: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/9.jpg)
9 Simo Sorce – DevConf.cz
SAML
Key aspects:● Requires agreement between parties
● exchange of metadata and public keys
● The Identity Provider can choose what data to send● third parties receive assertions with attributes● Data can be encrypted
● Single-sign-on friendly● Support also single-logout and administrative logout
● Enterprise oriented● Based on XML and SOAP on top of HTTP● Spec by OASIS
![Page 10: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/10.jpg)
10 Simo Sorce – DevConf.cz
SAML
Example auth flow:
jomo.omg redcat.omg
User @ redcat(browser)
No direct communication between SP and IdP is necessary at login time, thanks to previous metadata exchange.
The Identity Provider (IdP) receives the SP's request and may asks the user for proof of identification (if needed).If all checks pass the IdP redirects the user back to the SP to hand it an assertion.
The SP redirects the user to the IdP to obtain an assertion that the user is valid and authenticated. The assertion contains attributes that identify the user.
303 [auth] 303
![Page 11: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/11.jpg)
11 Simo Sorce – DevConf.cz
OpenID Connect
Key aspects:● Supports user-driven consent
● Users may be allowed to tell the IdP to trust arbitrarythird-parties (Idp does not need to trust the RP)
● Users can be allowed to decide whether to allow or deny authentication requests and what data to send
● Completely different from OpenID 1.0/2.0● Consumer Oriented
● Based on REST, JSON and Oauth 2.0
![Page 12: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/12.jpg)
12 Simo Sorce – DevConf.cz
OpenID Connect
Example auth flow:
jomo.omg redcat.omg
User @ redcat(browser)
Token needs to be validated online by Idp
The Identity Provider (IdP) receives the request and may asks the user for proof of identification (if needed).If all checks pass the IdP redirects the user back to the SP to hand it a token.
The RP redirects the user to the IdP to obtain an authentication token.
303[auth]
303
validation
![Page 13: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/13.jpg)
13 Simo Sorce – DevConf.cz
Persona
Key aspects:● Privacy oriented
● The Idp doesn't get to know each and every user's move
● Requires a browser plugin or some complex javascript● Based on email address for identity
● requires a public website to host the Idp public certificate● Uses crypto to generate custom user certificates
● Uses custom public/private key protocol● The protocol is called BrowserID
![Page 14: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/14.jpg)
14 Simo Sorce – DevConf.cz
Persona
Example auth flow:
jomo.omg redcat.omg
User @ redcat(browser)
Only fetches public certificate
The Identity Provider (IdP) is queried only to authenticate and obtain a user certificate valid for a short period.
The RP obtains a signed assertion and the user's certificate and uses the IdP public cert. to establish authenticity.
[signs token]
validation
![Page 15: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/15.jpg)
15Simo Sorce – DevConf.cz
The Ipsilon project
![Page 16: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/16.jpg)
16 Simo Sorce – DevConf.cz
Ipsilon
A pluggable Identity Provider
Supports multiple authentication methods
Supports multiple Federation protocols
Provides tools for easy installation, configuration and management
Not an Identity Management server
![Page 17: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/17.jpg)
17 Simo Sorce – DevConf.cz
Ipsilon
The server is built in python● Best run in mod_wsgi● Standalone mode via cherrypy● Plugins are “drop-in”
Clients available for apache● Native C modules
● mod_auth_mellon (for SAML)
![Page 18: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/18.jpg)
18 Simo Sorce – DevConf.cz
Merged with FedOAuth
FedOauth● Current Fedora authentication system● Implemented OpenID● Written in python too
Merged into Ipsilon● Merge complete in December 2014● Rolling the merged Ipsilon project in Fedora
Infrastructure right now
![Page 19: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/19.jpg)
19 Simo Sorce – DevConf.cz
Ipsilon authentication
Supports authentication via● any apache module● direct LDAP binds● Kerberos● Chaining to other IdP● IPA / AD / etc...
● Supports fetching info via● LDAP● Nsswitch● Other IdP
![Page 20: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/20.jpg)
20 Simo Sorce – DevConf.cz
Ipsilon protocol support
Federation protocols:● SAML
● Uses lasso/xmlsec1 libraries● Main focus when project was started● ECP profile in the making
● OpenID● Ported over from FedOauth● For Fedora Infrastructure support
● Persona● Ported over from FedOauth
● OpenID Connect (next)
![Page 21: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/21.jpg)
21Simo Sorce – DevConf.cz
Demo
![Page 22: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/22.jpg)
22 Simo Sorce – DevConf.cz
Ipsilon roadmap
Integration with FreeIPA should be seamless● Automatic configuration during setup
REST API● For all admin operations● For SAML SP registration
Protocols:● Improve SAML support● OpenID Connect● More auth/info plugins● kx509 ?
![Page 23: Federated Identity Providers Identity Providers.pdf4 Simo Sorce – DevConf.cz Trusting a third-third party Federation is also used when another party need access to data on the user's](https://reader034.vdocuments.site/reader034/viewer/2022052012/6028af6a8656d82e771a3b0f/html5/thumbnails/23.jpg)
23 Simo Sorce – DevConf.cz
Questions ?
Project points of contact:
http://fedoraproject.org/ipsilon
#ipsilon on Freenode
Feedback about this talk: http://devconf.cz/f/24