1 / 19

A Role-Based Approach to Federated Identity

A Role-Based Approach to Federated Identity. Ravi Sandhu * Chief Scientist NSD Security www.nsdsecurity.com. * Also Professor of Information Security and Assurance George Mason University. Federated Identity. Cross organization

waylonj
Download Presentation

A Role-Based Approach to Federated Identity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Role-Based Approach to Federated Identity Ravi Sandhu* Chief Scientist NSD Security www.nsdsecurity.com *Also Professor of Information Security and Assurance George Mason University

  2. Federated Identity • Cross organization • Maintain authentication and authorization profile and provide single-sign-on across multiple applications • Focuses on “letting the good guys in”

  3. Role-Based Management Consumers Roles Authorization profiles are managed in terms of roles Administration is delegated in terms of identity management roles Identity Management Roles

  4. Securing Identity Profiles • Authentication and authorization profiles are the organization’s most sensitive data • Managing these securely is an organization’s most important security objective

  5. What is Security • Catastrophic failure is far worse than occasional failure • Good enough security • Is all we can achieve • Tolerates occasional failure • Does not tolerate catastrophic failure

  6. Ease of Use Security Total Cost of Ownership Integrated, identity management infrastructure Security is Only One Objective

  7. Secure Identity ApplianceTM Security Appliances • Dedicated (but COTS) hardware • Hardened OS • Managed by restricted protocols (no root access) • Highly available, scalable and secure

  8. Secure Identity ApplianceTM Authentication Ladder Two-factor (with optional PKI) Password plus USB token or variant Roaming PKI Weak Password Systems, Catastrophic Dictionary attacks Password Usability PKI Security Zero Footprint Hardened Password No change for users No change for issuer No password file (PKI hardened)

  9. Difference #1: Alice has short convenient password Difference #2: Alice has to interact with appliance to sign. 2-Key RSA vs. 3-Key RSA Old PKI Keys: • Alice Public = e • Alice Private = d • Alice Cert = C Signing: • a) S = Sign (M,d) Send [S, C] to Bob Bob: • Gets e from C • Does Verify(S,e) = M? • Practical PKI • Keys: • Alice Public = e • Alice password = d1 • Alice Cert = C • Alice appliance key = d2 • Signing: • Alice logs on to appliance using strong authentication and creates secure channel • Spartial = Sign(M,d2) • S = Sign(Spartial,d1) • Send [S, C] to Bob • Bob: • Gets e from C • Does Verify(S,e) = M?

  10. Single Sign On • Cookie-based • Zero footprint on client • Lightweight footprint on servers • Certificate-based • Lightweight footprint on client • Zero or lightweight footprint on servers

  11. SSO and Authentication • Authentication • Single factor • Two factor factor • Single sign on • Cookie based • Certificate based

  12. Security Identity Appliance Roles • Appliance management roles • Consumer management roles • Consumer roles

  13. System manager Security manager Appliance Management Roles • Supermanager • Not your usual root user • Security manager • System manager Supermanager Can-create but Cannot do

  14. Consumer Management Roles • Consumer management roles manage consumer roles • Built in roles • Super-csr • Create-csr • Modify-csr • Read-only-csr

  15. Create-csr Modify-csr Read-only-csr Consumer Management Roles Can-create but Cannot do Super-csr Consumer

  16. Create- csr1 Modify- csr1 Read-only- csr1 Modify- csr2 Read-only- csr2 Consumer Management Roles Consumer1 userid user personal profile org1 roles org2 roles …..

  17. Identity Management Processes • Provisioning • Enrollment • Registration • Revocation • Rights Management • Role and attribute assignment by Identity Management roles • Role revocation by Identity Management roles • Consumer self-administration • Password change • Password reset • Profile update (such as address, phone number, etc.) • Revocation

  18. OneHealthPort Relying Party1 Trading Partner1 OneHealthPort Relying Party2 Trading Partner2 Relying Party-n Trading Partner-k

  19. Secure Identity ApplianceTM The technology behind OneHealthPort

More Related