1 / 10

NASA NEX & OpenID -- Observations --

NASA NEX & OpenID -- Observations --. Andreas Matheus Secure Dimensions. Does NASA accept OpenID login?. Does NASA accept OpenID login and rely on the level of user identity assurance level 0? NO! But what do they do? For the NEX – NASA EARTH EXCHANGE – they do the following .

chinue
Download Presentation

NASA NEX & OpenID -- Observations --

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NASA NEX & OpenID-- Observations -- Andreas Matheus Secure Dimensions

  2. Does NASAacceptOpenID login? • Does NASAacceptOpenIDloginandrelyonthelevelofuseridentityassurancelevel 0? • NO! • Butwhatdothey do? • FortheNEX–NASAEARTHEXCHANGE–theydothefollowing ... NASA NEX & OpenID

  3. Go totheNEX homepage • If yougohttps://c3.nasa.govtheyrequireyoutologinviaHTTPBASIC AUTH,usingyourNEX account • =>No username/password=no login • Ifyougohttps://c3.nasa.gov/nexthenyoucanchoosealogin method • E.g.OpenIDasIdonothavean account NASA NEX & OpenID

  4. NEX Login No – don‘thaveone Yes – do haveone NASA NEX & OpenID

  5. Sign Inwithyour OpenID NASA NEX & OpenID

  6. After Login... Your Browsergetsredirectedbackto ?NASA? LookslikeaperfectPhishingAttackto me! NASA NEX & OpenID

  7. Afteracceptingtheredirectbackto NASA Surprise –Youarriveathe „CreateNewOpenID User“ page NASA NEX & OpenID

  8. What happens next? You need to fill out the form You will receive an email to confirm Your account creation with NASA is then pending... NASA NEX & OpenID

  9. „Conclusions“ from Observation • NASA NEXdoesnotallowstraightOpenID login! • NASANEXisacceptingOpenID login,butonlyifyouridentitywascheckedbyNASA before • So essentially,NASAhasappliedtheironextrasecuritytoliftOpenIDidentityassurancelevel0totheirown level • Problem: • YouwillendupinoneNEXaccountforeachofyourOpenID accounts • Notinteroperableifeach „federation“serviceproviderusesonselectionofOpenID providers NASA NEX & OpenID

  10. This fits the SAML2 / OpenID proposal • SAML 2 as the standard for exchanging user assertions and establishing identity assurance throught trusted Identity Providers • Users from trusted IdPs are directly accepted • Users from OpenIdIdPs require extra checking • Advantage of SAML2 base vs. NASA approach • Not each Service Provider must create accounts themselves – trusted Identity Providers would do that • Guarantee to the user that once accredited at the SAML2 / OpenIDIdP, the account would work with all Service Providers and not only NEX from NASA NASA NEX & OpenID

More Related