Title: A Role-Based Approach to Federated Identity
1A Role-Based Approach to Federated Identity
- Ravi Sandhu
- Chief Scientist
- NSD Security
- www.nsdsecurity.com
Also Professor of Information Security and
Assurance George Mason University
2Federated Identity
- Cross organization
- Maintain authentication and authorization profile
and provide single-sign-on across multiple
applications - Focuses on letting the good guys in
3Role-Based Management
Roles
Consumers
Authorization profiles are managed in terms of
roles
Administration is delegated in terms of identity
management roles
Identity Management Roles
4Securing Identity Profiles
- Authentication and authorization profiles are the
organizations most sensitive data - Managing these securely is an organizations most
important security objective
5What is Security
- Catastrophic failure is far worse than occasional
failure - Good enough security
- Is all we can achieve
- Tolerates occasional failure
- Does not tolerate catastrophic failure
6Security is Only One Objective
7Security Appliances
- Dedicated (but COTS) hardware
- Hardened OS
- Managed by restricted protocols (no root access)
- Highly available, scalable and secure
8Authentication Ladder
Two-factor (with optional PKI)
Password plus USB token or variant
Roaming PKI
Weak Password Systems, Catastrophic Dictionary
attacks
Password Usability PKI Security
Zero Footprint Hardened Password
No change for users No change for issuer No
password file (PKI hardened)
92-Key RSA vs. 3-Key RSA
- Old PKI
- Keys
- Alice Public e
- Alice Private d
- Alice Cert C
- Signing
- a) S Sign (M,d)
- Send S, C to Bob
- Bob
- Gets e from C
- Does Verify(S,e) M?
- Practical PKI
- Keys
- Alice Public e
- Alice password d1
- Alice Cert C
- Alice appliance key d2
- Signing
- Alice logs on to appliance using strong
authentication and creates secure channel - Spartial Sign(M,d2)
- S Sign(Spartial,d1)
- Send S, C to Bob
- Bob
- Gets e from C
- Does Verify(S,e) M?
10Single Sign On
- Cookie-based
- Zero footprint on client
- Lightweight footprint on servers
- Certificate-based
- Lightweight footprint on client
- Zero or lightweight footprint on servers
11SSO and Authentication
- Authentication
- Single factor
- Two factor factor
- Single sign on
- Cookie based
- Certificate based
12Security Identity Appliance Roles
- Appliance management roles
- Consumer management roles
- Consumer roles
13Appliance Management Roles
- Supermanager
- Not your usual root user
- Security manager
- System manager
Supermanager
Can-create but Cannot do
14Consumer Management Roles
- Consumer management roles manage consumer roles
- Built in roles
- Super-csr
- Create-csr
- Modify-csr
- Read-only-csr
15Consumer Management Roles
Super-csr
Can-create but Cannot do
Consumer
16Consumer Management Roles
Consumer1
userid
user personal profile
org1 roles
org2 roles
..
17Identity Management Processes
- Provisioning
- Enrollment
- Registration
- Revocation
- Rights Management
- Role and attribute assignment by Identity
Management roles - Role revocation by Identity Management roles
- Consumer self-administration
- Password change
- Password reset
- Profile update (such as address, phone number,
etc.) - Revocation
18OneHealthPort
Relying Party1
Trading Partner1
OneHealthPort
Relying Party2
Trading Partner2
Relying Party-n
Trading Partner-k
19The technology behind OneHealthPort