Introduction to Federated Authentication Systems

introduction to federated authentication

[Music]

so let's say your developer you just built your brand-new says offering businesses connected their customers and gone fellas working all the necessary County management tools for these order to create the users both their employees and consumers and so maybe you've gone about implementing that using Google Fiber base or Amazon kognito or any to your media or one of these frameworks that does all our thinking for you for my store passwords and create users and maybe you've got to link those these password Loftis excuse me password missile education we often find out we're using most modern standards so you feel really confident your security posture your account management story and some of your sit down with the first

big enterprise customer and you're blending them your own authentic Asian features and those are great features they say they don't even understand your stuff but we have our own authentication system for our users or customers how do we plug our authentication system and they ask you so you're sitting across the table and then you're like does the F word Federation that's right do you think I'll start going to different or am i right so today I'm talking about what is that any Federation how is it used doesn't work and what challenges will I encounter and implementing it or using that defined Enterprise they're on me I'm just able to engineer routes or incorporation I sort of writing software very early age

at the age of 8 hours on a computer store at st. Louis so this first basic h89 guitar his team started working here at cerner did a lot of enterprise he stuffs people PeopleSoft out my SharePoint farm I work in integrated enterprise systems was integrating authentication so I started learning about how ocation systems integrated earlier and as though that experience I found that we were lacking in our own commercial offerings that we're offering clients it supplicating with principal engineer over in our development side for operational solutions so what is Federation so here is a giant definition of Federation from oasis which is kind of the standards group that created a standard around this process so referred

to establish agreements cryptographic trust these are identifiers or attributes across security policy domains today we were seen as Brussels to make business interactions well let's kind of break this down to something a little bit more digestible so the big thing that they're trying to do with these protocols is essentially make it a very seamless in the way that you do business between two parties so take an example office365 anyone here who's office 365 of the organization so office 365 is in the language a service provider they're offering a service to you but they don't necessarily want to be the one that are dedicating their users so in this model they delegate this to your identity

provider so is it going for the login process they'll send you to an identity provider and they're making the scenes across the organization's they don't authenticate your users you have Medicaid them so this leakage this cross-organizational linkage is known as a federation and so office365 obviously has many of these Federation's between the example between generic or and so each one of these individual entities as a federation itself of course you might use multiple service providers at your organization it says you tell us becomes a minute of any relationship that there's individual Federation's between each organization and which plaintiff service providers that they use so as part of this obviously there's a business agreement you're buying stuff

from office 365 Microsoft and so you set up a business or an agreement that they're going to use your identity provider normal indicate users part of this net is as part of this process for changing information the big thing that we're understood is user identifier who's actually logged in can we get some agreement as to who it is that's it's a gated and potentially some attributes about them so in the office 365 example again if you've ever logged in to office 365 you know that the first thing with the heck you do is you type in user principal name like allison example court that's what actually net back to the I didn't provide her so you get to

go here identify my dirty logins Alice its analysis the logged in to office 365 an example corpus Senate analysis an example in our Court is the identifier but that might not be the same identifier that workdays is to identify users so example courts federated relationship with workday might be that they're mapping just employed in a farm in five four seven might not even be user identifier search para anyone use video on-demand services HBO the cable provider do you ever go into that process you go to HBO video on demand it says a local cable provider you picked Comcast Xfinity you log in it cares about that you're a paid HBO subscriber Comcast it does provide doesn't really care

about what you use very much fire is a social networking site like house they get home to Cork so what do you want to get to a site that uses social networking obviously that's a federated relationship as well they care about who you are Facebook etc silicon market and asked for and finally cryptographic trust so establishment could be terrific trust a lot of the these protocols are built on top of cryptography most these Federation protocols have a concept of what's called metadata and so this is data that describes the identity provider its endpoints and public keys that are used in order to facilitate protocol interactions so these get exchanged in different ways one of the

ways is that and mustard to just manually exchanges so office 365 gives you their information in the file you go to administrative tooling and your identity provider and you can import that information either when picking out that's my hand giving it the file directly setup and so forth most times it's an XML in the case of open IDs case on another way it can be done as through PKI in which you bootstrap your trust relationship between each other the HTTP URLs and use the Internet's PKI system in order to trust one another resent ones so in this case the service provider just reaches out today than a provider device versa this is very useful because if like you

want to rotate public private keys Kings something that Active Directory Federation services does automatically and here the basis have the ability for your systems to just automatically exchange bootstrap trust the internet web of trust isn't it's very useful thing to have and then finally I talked to earlier about you know there's this many-to-many relationship between service providers and their subscribers there's also a different model than existing Federation 14 kind of arrangement is the security of cryptographic trust so let's say for example you're like a university or Research Institute and you want to be able to allow all other universities or research institutes to be able to access authentication resources there's a actually an institution called in

command which does this which is essentially that it is an aggregate that's a not-for-profit all the different universities that KSU and I see we join the in common they give the metadata to in common and have a business relationship with in common and then all the participants of federated with in common in order to allow everybody in the Federation to robbery and so this eliminates having to have all these individual point-to-point Federation's with all the various parties and every university doesn't have to have a point-to-point Federation with another university you simply just join one large pool that aggregates Federation so how does it work behind the scenes these are the standards that exist out there in the wild most

prevalent is sample to that web browser SSO profile open item Connect is pretty popular one that was built for the last 10 years most of the bigger social networks implemented except Facebook and some of the older ones open ie - Oh Connect liberty id-ff this is what a lot of your travel industry used for a very long time to facilitate single sign-on between the travel sites Travelocity cetera and Denver's Federation or the big at Microsoft Land anyone still Unidos Federation so most of these protocols rely on mechanics in these regions these are browser-based protocols and Sunday rely on the ability to do your i/o redirection or HTTP forum posts to another site so you begin by

going to the service assailant office365 office 365 will redirect you or perform on HTTP posts to your identity provider where ATP interacts with you and then finally the IDP sense of your original post response back to the service provider this is way too much messengers messages exchanged in a browser so that they can know that you are a person sitting at this device it's not limited to just browser though your redirection is actually possible and most of modern operating systems iOS Android Windows so you can actually do intercommunication of this nature with native apps so as long as it's cooler I every direction based you can facilitate this tension protocols between native apps whether it's that I competed in a service

provider responses then the information that's actually exchanged that's posted back to the service providers response that contains a signature at signing with the providers public key which exchanging the meta data and sometimes do not make the direct call backs they're required or optional that you can use them to check signatures and then finally each one of these responses is designed we play resistance of the timeout and contain nonce other common features simplifying on these protocols define reification you'll find step-up authentication so the ability to convey that 90 days particular type of authentication we prefer the ability to facilitate a logout the ability to exchange entities this personal page engineers of forever and then usually have discovery which is

useful as you watching have kind of a no business relationship Federation so I'm gonna do challenges space I kept it with time remaining so mostly some time for questions there's quite a few challenges you're going to run into along the way these protocols anyone know what this is so these protocol this is they're not familiar with this this is this is the Homer so over Simpson gets a job in a car manufacturer and basically designs a car all possible bells and whistles that you could ever possibly think of of course it's a spectacular failure but these are what these protocols are like the sample to our web browser SSO profile inspects clocks in about 300

pages that's not including Excel attentional signature that's a prerequisite essentially they try to accommodate every possible use case they want to imagine but in doing so they make it extremely difficult for somebody that's just trying to some basic integration like I just they give you way too many options and so everything becomes like this custom and consulting engagements and everyone has a different idea of how much work and there's very rarely do so the two systems just interoperate it's not a box without a heavy amount of customization and so there's too many options there's just too much complexity so when you're looking at the winning this is whether you're implementing a service that's going to consume this or

whether you're actually there's a lot of implementation options right right libraries commercial service offerings and software install on Prem and the big thing that I found personally is the more flexible the solution the more enterprising it's going to be if you know what I mean by enterprising like these large that have lots of software packages we install a web server and web application server database and 17 items later about 17 hours of the install or you're rolling it yourself you're literally coding it from scratch flexibility my personal recommendation here is your expertise is limited by our commercial services to do this and then if if you really if you find customers that need that flexibility just be up

front from your customer about your integration options like hey we only do because otherwise you'll have folks that will come to you that basically say hey you got sam'l support but you need to be doing it this way that's completely wrong we're doing a completely wrong we have a better idea of how you should be doing this this is very common we've done at cerner we've done hundreds of sample integrations and many times we'll come across this where someone will say now we just absolutely got it anyway because it makes it really difficult if you are anticipating that someone come to you with complicated use case don't expect an off-the-shelf product to satisfy them all off the shelf products

give you little bit of safety if someone does come to you and say hey we think it should work this way you know you can say well this is this imagery majority is capable but if you're looking to do something very complicated like the authentication or step-up authentication off-the-shelf product it's not always be able to do that so you may end up having to give a protocol expert that's gonna help you roll with implementation but we may have expertise to find out the shelf product exactly what you the biggest thing that we've found personally is it good user experience - extremely challenging and working with federated authentication systems any sample-based IDPs came with more cases orally one of my first

suggestions is this might be counterintuitive but if you're building an app your lot of good processes do not start at the identity provider don't make the first step or redirect get into the login of the provider system make that an expert click that you have a page as presented to the user when they're not authenticated it says hey login with accent provider this at least lets folks know that your app is up and if it's not available there's a technical problem so you can give them some sort of banner we can inform them so there's some of these just disconnection between your what your app is and what they did a provider is entities building on top of this and

I think it might seem counterintuitive or just read the login process of a separate tab or window one thing that made any provider to handle browser history so if you log in with a login form and then the user wants to use their browser history navigation backwards why don't I get to providers and just throw up an error or they'll push you forward in the browser history or they'll do just something completely nonsensical or the login form again they'll do weird things which kind of make it difficult for your user to browse for accessories navigation mobile devices like Android if you're trying to use the back button and you backup in their IEP and it blows up on University

forwards it's really a dissatisfied user experience so if you can orchestrate that login to the center to everything then finally you know make it evident to the user which are applications session semantics are for the login process are they are they logging in until they explicitly log out until the single log out if they click logout is in fact other things have logged in to different users or you have different expectations as to how to logout works so for example if you use YouTube YouTube account a Google account that you log into YouTube with when you go to youtube and you see account options and realize that your Google account and kind of have that

expectation that puts sign out in YouTube that sign out across all of googles properties but another person you know if they log in to house your social network account just some random website there's a social login they probably don't have the expectation that if they log out of that but it's gonna cause them to be logged out of their Facebook account so different folks have different expectations depending on how they perceive things to be related so depending on what product you're offering and how you expect your customers integrated with it they might might have to think through what users go to expect it took some amount of process another thing we found or I found this such as single sign-on

session timeouts or features that can really be at each other if you have a single sign-on capability and the customer says hey I want you to tiny user out it's an activity it can be enough because we're using a single sign-on system where the provider has its own session and if it allows needs to be logged in for an hour it's this weird it's a square root scenario where your app says hey I plugged you out because you're inactive click here log in you click the log and then we just did stop log back in you wonder because the application buggies it didn't secure etc and so forth there's ways you can get around this you can design your system

to look at when the ident provider authenticated the user and then you could say well that's older than the maximum amount of time that I accepted that person to be inactive something just supports these dedicated right now so that way if they come into your application it's been a long time since I've logged in they'll be forced to relocate that again be a nod to single sign-on depending on what their expectations are and then windows integrated authentication makes this a complete mess because if you're using a DFS it'll always tell you that the person who's just now logged in even if they logged in so this has preached a lot of cognitive dissonance and so this

dissonance of you know navigation time you've been logged out if you click and then just sign right back in they can make folks trust the system must need security professionals because like well I've logged out but it's still logged in what's what's going on things you could do you could disallow windows in the great authentication that's obviously one you could design your system to loan aggregate all session it's the last longer and those are established there are mechanisms most of the protocols conveyed how these are logged in we're just change your user experience so just instead of telling them hey you've been logged out for security just trees the security check so for example to say hey

you're still logged in with example one click here to proceed so that way they don't have the expectation that the relation blonde out that it's just they just had to do the security check it may or may not have to authenticate so if you're gonna if your business is spinning to search provider consider if your service providers thought through these concerns and then you know kind of verify that they provide a sensible security too constrictive users in various cases so can sum up if you're an enterprise or developer offerings a solution enterprises expect identity Federation to appear aggregator at some point is this is one to plug in or other than these many times our small business

these pre-built solutions weren't impossible handed they're simple use cases if you have complex use cases you're gonna have to expect to deal with some sort of enterprises solution staffing hands were to be super positive development for you finally user experience is super critical anticipate or are cases and test your experience of actually users make sure your service provider that you choose behaves within their expectations so landing here spent to you that so we have a point of time for questions so maybe I got a question to the audience so how many folks are use that Nettie Federation in some way today in the enterprise here how many folks have really complicated do spaces is just

using this for basically instant bargain how many just use it for a very base of these days just purely login no sign out from satellite need be off

all right thank everyone for showing up today and help everyone join us today [Applause]