Federated Shibboleth, OpenID, oAuth, and Multifactor | 1

Federated Shibboleth, OpenID, oAuth, and Multifactor

Russell Beall Senior Programmer/Analyst

University of Southern California beall@usc.edu

Federated Shibboleth, OpenID, oAuth, and Multifactor | 2

University  of  Southern  California  

  Private  research  university,  founded  1880    Budget:  

  $2.9  billion  annually    $560.9  million  sponsored  research  

  LocaGons:    two  major  LA  campuses    six  addiGonal  US  locaGons    four  internaGonal  offices  

  http://about.usc.edu/facts  

Federated Shibboleth, OpenID, oAuth, and Multifactor | 3

University  of  Southern  California  

  298,000+  affiliated  individuals    17,500  undergraduate  students    20,500  graduate  and  professional  students    3,400  full-­‐Gme  faculty    11,800  staff    240,000  alumni    5200  sponsored  affiliates  with  acGve  services    157  self-­‐registered  guest  accounts  (so  far)  

Federated Shibboleth, OpenID, oAuth, and Multifactor | 4

Problems  solved  

  Faculty/Staff/Student/Guest  access    systems  of  record    

  automated  account  creaGon    sponsorship  and  veXng   mature  access  control  infrastructure  

Federated Shibboleth, OpenID, oAuth, and Multifactor | 5

Problems  solved  

  Federated  access    self-­‐registraGon  

  no  USC  account  to  maintain    limited  sponsorship/veXng   works  within  mature  access  control  infrastructure  

Federated Shibboleth, OpenID, oAuth, and Multifactor | 6

New  InteresGng  Problems  

  oAuth    OpenID   MulGfactor  

Federated Shibboleth, OpenID, oAuth, and Multifactor | 7

oAuth  and  OpenID  

  AlternaGve  to  Shibboleth  Federated  login    useful  for:  

 non-­‐parGcipants   strict  access  IdPs  

 replacement  of  ProtectNetwork  

Federated Shibboleth, OpenID, oAuth, and Multifactor | 8

oAuth  and  OpenID  

  oAuth  –  secure    Data  retrieved  on  backend  

 server-­‐to-­‐server  communicaGon   trust  token  exchange   secret  key/token  signing  of  requests  

  Not  subject  to  spoofing    OpenID  –  insecure  (untrustworthy)  

  Data  returned  in  HTTP  GET  parameter    Easily  spoofed  using  proxy  server  

♦  Haven’t  run  a  spoof  test,  so  I  may  be  proven  wrong…  

Federated Shibboleth, OpenID, oAuth, and Multifactor | 9

MulGfactor  

  several  quality  levels:    lightweight  version    

 local  credenGal  plus  oAuth   local  credenGal  plus  federated  Shibboleth  

  full-­‐fledged  opGons   Gqr  

 Duo   others  

Federated Shibboleth, OpenID, oAuth, and Multifactor | 10

MulGfactor  

  Two  types  possible  with  Shib:    decided  by  applicaGon  

 app  chooses  other  factor(s)  and  requests  as  needed   authenGcaGon  contexts  coordinated  by  SP  config  

  IdP-­‐based   IdP  uses  mulGple  factors  within  a  single  context  

Federated Shibboleth, OpenID, oAuth, and Multifactor | 11

Trust  

 What  is  the  trust  model?    How  do  we  trust:  

  a  hardware  token?  

  an  oAuth  authenGcaGon  event?    a  FederaGon  member  authenGcaGon  event?  

Federated Shibboleth, OpenID, oAuth, and Multifactor | 12

Trust  

  Trust  is  established  with:    veXng  

  token  management  pracGces  

  Applies  equally  to  hard  or  soj  tokens    Either  must  be  registered  

Federated Shibboleth, OpenID, oAuth, and Multifactor | 13

RegistraGon  

  MulGfactor    requires  hardware  token  linking  

 phone   keyfob  

  oAuth/Federated  authenGcaGon    good  =  vemed  registraGon  under  supervision    sufficient(?)  =  telephone/email  communicaGon  of  idenGfier  to  be  trusted  

  If  nobody  controls  registraGon,  neither  can  be  trusted  

Federated Shibboleth, OpenID, oAuth, and Multifactor | 14

RegistraGon  

Federated Shibboleth, OpenID, oAuth, and Multifactor | 15

RegistraGon  

Federated Shibboleth, OpenID, oAuth, and Multifactor | 16

RegistraGon  

Federated Shibboleth, OpenID, oAuth, and Multifactor | 17

RegistraGon  

Federated Shibboleth, OpenID, oAuth, and Multifactor | 18

RegistraGon  

Federated Shibboleth, OpenID, oAuth, and Multifactor | 19

RegistraGon  

Federated Shibboleth, OpenID, oAuth, and Multifactor | 20

Enrichment  

  RegistraGon  of  oAuth  or  FederaGon  guest  creates  simple  LDAP  account  

  No  password    Allows  for  enrichment  of  addiGonal  data  including  access  enGtlements  

  Targeted  enrichment  creates  a  layer  of  trust  ♦  Layer  is  thin  but  workable  

Federated Shibboleth, OpenID, oAuth, and Multifactor | 21

Enrichment  

Federated Shibboleth, OpenID, oAuth, and Multifactor | 22

Demo  

Federated Shibboleth, OpenID, oAuth, and Multifactor | 23

For  Future  Pondering  

  With  sufficient  veXng,  could  a  sojware  token  as  a  second  factor  authenGcaGon  be  acceptable?    Plus  points:  

 low  budget   hacking  one  account  is  easy,  hacking  two  and  knowing  the  linkage  is  not  

  NegaGves:   duplicated  passwords   depends  on  free  APIs  with  no  service  contract