Reasons to Become CISSP Certified Keith A. Watson, CISSP CERIAS.
Dan Houser, MBA, CISSP, CCP Security Architect Nationwide [email protected] Web Single...
-
Upload
celeste-summerson -
Category
Documents
-
view
220 -
download
0
Transcript of Dan Houser, MBA, CISSP, CCP Security Architect Nationwide [email protected] Web Single...
![Page 1: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/1.jpg)
Dan Houser, MBA, CISSP, CCP
Security Architect
Nationwide
Web Single Sign-On: Federated Identity
![Page 2: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/2.jpg)
Nationwide
Fortune 500 company
A leading US financial company & insurer• Life Insurance• Automobile Insurance• Property & Casualty Insurance• Liability Insurance• Annuities• Retirement Products• Investment Services• Mortgages
![Page 3: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/3.jpg)
Objectives
How a Fortune 500 company implemented SAML for
cross-company authentication (CCA)
Under the covers: how artifact and signed SAML
authentication works between business partners
Building an extensible, enterprise architecture
implementation with alpha and beta tools
Lessons learned, challenges, and surprises when
extending authentication and authorization to 3rd
parties
Identity, cryptography, and assertions, oh my!
Web services authentication and authorization
challenges
![Page 4: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/4.jpg)
Web servicesPhenomenal Business acceleration since 1990
Transformation of business:
• From business at the club to EDI brokering
• From book binding to e-books to books on demand
• Supply chain management
Rapid changes in business and trust models
• Outsourcing, resourcing, insourcing
• Hosting, co-location, managed services, ASPs
• Intense, cyclical Acquisition & Divestiture activity
• Global markets & economies
![Page 5: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/5.jpg)
Web services (2)
Generations of the Internet
1st Gen: Isolation Research
2nd Gen: Information Storefront
3rd Gen: Transaction eCommerce
4th Gen: Integration Web Services
![Page 6: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/6.jpg)
Quick Web services primer
Web Services• Uses open, lightweight protocols:
• Provides a direct connection to business logic and
core objects through Internet protocols
• Instead of COM, DCOM and RPC, now invoke a Web
service over HTTP
HTTP XML SOAP
WSDL UDDI
![Page 7: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/7.jpg)
Federated identity
What is federated identity?• The agreements, standards and technologies that
make identity and entitlements portable across
autonomous domains.§
Cross-company authentication (CCA)• Authentication & authorization between organizations
and companies.
Essentially, same thing under the covers
§ Source: RSA Security, http://www.rsasecurity.com/go/google/fed_id/redirect.html
![Page 8: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/8.jpg)
A
Federated identity Use case 1: Travel model
• A conducts business with B on behalf of end user• Traditional back-office functions, but in real time
Reference model: Travelocity®
Internet /intranet
End userB2B, B2C, B2E
Web Page
Internet /intranet B
3rd-partyWeb Services
Provider
BusinessLogic
HTTP XMLSOAP
HTTP
![Page 9: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/9.jpg)
Federated identityUse case 2: Portal model
• B provides service or collaborative content for A
• Transparent to the end user.
Reference model: MapQuest® in Yahoo!® portal
BusinessLogic
HTTP
HTTPXML
SOAP
End userB2B, B2C, B2E
Internet /intranet
A
Web Page
B3rd-party
Web ServicesProvider
B
Internet /intranet
![Page 10: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/10.jpg)
Federated identity Use case 3: Single sign-on model
End userB2B, B2C , B2E
In ternet /in tranet A
W eb Page
redirect
B3rd-party
W eb ServicesProvider
2
34
1
• A redirects user to B
• B trusts A’s authentication
• “Single sign-on” (a.k.a. Cross-company authentication, federated identity.)
Reference model:
Private label banking
HTTPXML
SOAPSAML
HTTPXML
SOAPSAML
HTTPXML
SOAPSAML
![Page 11: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/11.jpg)
Web services implications
Extensible access portals for legacy business logic and processes
Ability to react to the market very quickly
Changes to core business applications are immediately available to trading partners, vendors, customers and regulators
Business velocity without roadblocks of building extensive GUI presentation layers
![Page 12: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/12.jpg)
Web services introduces Cross-company authentication
For selected interfaces:
Other business partners trust
your authentications, and…
Your organization trusts the
authentications provided by
others.
![Page 13: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/13.jpg)
SAML provides framework for cross-company authentication
SAML: Security Assertions Markup Language
Lightweight protocol to exchange security assertions &
artifacts
Can be signed for self-validating assertion
Permits partners to exchange assertions about
authentication and authorization of users
![Page 14: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/14.jpg)
SAMLSAML has 4 major components:
1. Assertions
• Authentication assertions
• Attribute assertions
• Authorization decision assertions
2. Request / response protocol – SOAP over HTTP
3. Bindings – how SAML requests maps to transport
protocols (such as SOAP)
4. Profiles – how SAML assertions are embedded or
transported between parties
![Page 15: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/15.jpg)
SAML (2)POST /SamlService HTTP/1.1
Host: www.example.com
Content-Type: text/xml
Content-Length: nnn
SOAPAction: http://www.oasis-open.org/committees/security
<SOAP-ENV:Envelope
xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”>
<SOAP-ENV:Body>
<samlp:Request xmlns:samlp:=”…” xmlns:saml=”…” xmlns:ds=”…”>
<ds:Signature> … </ds:Signature>
<samlp:AuthenticationQuery>
…
</samlp:AuthenticationQuery>
</samlp:Request>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Source: OASIS - http://www.oasis-open.org/committees/security/docs/cs-sstc-bindings-00.doc
![Page 16: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/16.jpg)
SAML provides transaction trust
Messages / Transactions
Session
Business function
Line of business
Enterprise
Session
No existing protocol
Protocols providing trust
SSL / TLS / IPsec / Kerberos
SAML / WS-SecurityXML-DSig / Passport
![Page 17: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/17.jpg)
Nationwide & CCA timeline
2000-2001• Implemented several federated identity solutions
• Used proprietary artifacts & communication session
solutions
• Worked well, but….
• Unique “one-off” solutions
• Lacked standards for standard implementation,
extensive re-work
![Page 18: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/18.jpg)
Nationwide & CCA timeline (2)
2002• Resolved to adopt a standards-based federated
identity solution
• Investigated several federated identity standards
• SAML selected as best SSO authentication solution
at the time
• Joined Liberty Alliance as Associate Member
![Page 19: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/19.jpg)
Nationwide & CCA Timeline (3)
2002• Determined three viable directions:
Web Access Mgmt (WAM) middleware
Adding SAML parsing to existing application(s)
Building own assertion generator & parser
• Investigated the market for vendor best suited to
deliver SAML-based solution
• Established contract with WAM vendor
• Built first SAML implementation for SSO
![Page 20: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/20.jpg)
Nationwide
AuthN
AuthZ
Nationwide:First SAML cross-company SSO
End userB2B, B2C, B2E
Financial Aggregator
2
3
1
4
• Launched January, 2003
• First commercial use of SAML for SSO
• Three business partners
• Nationwide provides portal, authentication & authorization for both other partners
Internet /intranet
redirect
redirect
FinancialServicesCompany
Link
![Page 21: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/21.jpg)
Nationwide:First SAML cross-company SSO
End userB2B, B2C, B2E
Internet /intranet
Nationwide
FinancialAggregator
FinancialServicesCompany
redirect
Link
2
1
3
4redirect
5
AuthN
AuthZ
6
• Launched January, 2003
• First commercial use of SAML for SSO
• Three business partners
• Nationwide provides portal, authentication & authorization for both other partners.
![Page 22: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/22.jpg)
Challenges
Complexity
Business issues
Federation
Weakest link
Business trust models
![Page 23: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/23.jpg)
Complexity
Corporate 3-tier Web architectures are already complex
Federated SSO adds significant complexity in coupling:Existing infrastructureWeb Access Mgmt (WAM) middlewareWeb services interfacesNew infrastructureCross-company functionality
![Page 24: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/24.jpg)
Complexity (2)
Complexity requires technical sophistication on both sides of the relationshipDevelopers need to understand:
SAML
Web services
WAM
Encryption
Architects need to understand:
Identity Management
Authentication/authorization models
![Page 25: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/25.jpg)
Complexity (3)
Complexity extends to privacy and identity
issues
• Privacy policy aggregation, demarcation
• Need to involve CPO, General Counsel
• Identity management issues
• Legal contract & business agreement:
Roles & responsibilities
Vendor management
Procedures for validating trust
![Page 26: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/26.jpg)
The technology is moderately complex.
Trust & policies are harder.
Closer to a wedding than a business relationship
Nationwide’s solution:
Certification & accreditation process
Reference Architecture
Strong 3-tier infrastructure architecture
Forward-looking standards for trust governance
Business issues
![Page 27: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/27.jpg)
Federation
Interoperability of identity frameworks
Tough to do between existing corporate legacy applications
Even tougher between disparate organizations
Deep dive on assumptions, standards, vetting
Must scale and scope to business context
![Page 28: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/28.jpg)
Weakest link
Security posture differences must be
determined & governed.
• Alignment of reference architecture
• Policy & standards matrix comparison
• Establishment of CCA standards
SLA & performance weakest link
• If your SLA is 7x24, and your partner’s SLA is 5x10,
how will you provide 7x24?
![Page 29: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/29.jpg)
SAML provides transaction trust
Messages / Transactions
Session
Business function
Line of business
Enterprise
Session
No existing protocol
Protocols providing trust
SSL / TLS / IPsec / Kerberos
SAML / WS-SecurityXML-DSig / Passport
![Page 30: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/30.jpg)
Web services introduces cross-company authentication
For selected interfaces:
Other business partners trust
your authentications, and…
Your organization trusts the
authentications provided by
others.
![Page 31: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/31.jpg)
What now?
The Interconnectedness of all things…
![Page 32: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/32.jpg)
Business trust models
Recognized needs:Ongoing contractual complianceContinual determination of trustworthinessLegal implications of trust model
Result:
CCA standards
Development of XotaSM protocol
XotaSM is a service mark of Nationwide Mutual Insurance Company. Patent Pending.
![Page 33: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/33.jpg)
XotaSM
Combination of protocol & methodology
Permits determination of trustworthiness in
real time between business partners
Trust governance at the transaction level
Continuous assessment of contractual and
regulatory compliance
Nationwide is establishing a consortium
XotaSM is a service mark of Nationwide Mutual Insurance Company. Patent Pending.
![Page 34: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/34.jpg)
Surprises
Troubleshooting with ½ the data
Missing standards & solutions
Interoperability
Human factors
![Page 35: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/35.jpg)
Troubleshooting
SAML consists of HALF transactions:Asserting party Relying party
Troubleshooting with only half the data!
Complexity and cross-disciplinary issues
Coordinated helpdesk an issue
Log sharing, aggregation
Time synchronization an issue
![Page 36: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/36.jpg)
Missing standards & solutions
SAML has some gapsNo SAML session managementNo support for timeout, logoff “rollup”Had to develop own session management and session
timeout protocol
Middleware gapsNo signed SAML support in middlewareLack of 3-tier architecture support
![Page 37: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/37.jpg)
Session management issues
End userB2B, B2C, B2E
Internet /intranet
Nationwide
FinancialAggregator
FinancialServicesCompany
redirect
Link
2
1
3
4redirect
5
AuthN
AuthZ
6
• Cookie forces session timeout – user must re-authenticate
• User is redirected back to Nationwide gets SAML assertion
• Goes through SAML authentication process again
![Page 38: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/38.jpg)
Interoperability
Authentication & authorization required
for both the business partners and users
SAML provides user authentication
No protocol support for partner connection
authentication, authorization
Each partner connection model unique
Bleeding-edge implementation preceded Web services
protocol standards
![Page 39: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/39.jpg)
Human factorsCommunications Issues
Users unaware of SSO implementation:
• Sensitive to performance lag
• Multiple resubmits
• Question lack of sign-on –
“Is security broken?”
Deep bookmarking
Users will bookmark relying party sites
Persistent cookie that identifies user as CCA user?
![Page 40: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/40.jpg)
Lessons learned
Have a good partner relationship with
WAM vendor(s)
Business issues as significant as
technology issues
Lightweight implementation toolkit
required for smaller partners
Trust modeling important consideration
![Page 41: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/41.jpg)
Benefits achieved
Federated identity provides flexible,
adaptable solutions for SSO
Ability to use infrastructure for
affiliates, other contexts
If you build it, they will come
Federated identity works reliably
Use of standards, such as SAML, pays
off in 2nd, 3rd implementations
![Page 42: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/42.jpg)
Q&A
Questions?
![Page 43: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/43.jpg)
Further information
Contact information:
Dan Houser, MBA, CISSP, CCP
Security Architect
Nationwide
(614) 249-6639
Best resources:OASIS http://xml.coverpages.org/saml.htmlLiberty Alliance http://projectliberty.org
![Page 44: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com Web Single Sign-On: Federated Identity.](https://reader035.fdocuments.net/reader035/viewer/2022062511/55181e925503469d318b4920/html5/thumbnails/44.jpg)
Thank you.
Questions, comments?
Mr. Houser will not be available to answer questions
at the Ask-the-Experts booth in the Exhibit Hall.
Please send question to [email protected].