nathaniel mccallum sr. software engineer - security, red...
TRANSCRIPT
![Page 1: Nathaniel McCallum Sr. Software Engineer - Security, Red Hatwebsso.github.io/files/webSSO_CIS.pdf · 10 Introducing... SSL/TLS Client Certificate Authentication PLUS: HTTP REST service](https://reader033.vdocuments.us/reader033/viewer/2022060504/5f1d842c9464ad4ffe7b6bcb/html5/thumbnails/1.jpg)
Nathaniel McCallumSr. Software Engineer - Security, Red Hat
![Page 2: Nathaniel McCallum Sr. Software Engineer - Security, Red Hatwebsso.github.io/files/webSSO_CIS.pdf · 10 Introducing... SSL/TLS Client Certificate Authentication PLUS: HTTP REST service](https://reader033.vdocuments.us/reader033/viewer/2022060504/5f1d842c9464ad4ffe7b6bcb/html5/thumbnails/2.jpg)
2
Meet Al
Hi!
![Page 3: Nathaniel McCallum Sr. Software Engineer - Security, Red Hatwebsso.github.io/files/webSSO_CIS.pdf · 10 Introducing... SSL/TLS Client Certificate Authentication PLUS: HTTP REST service](https://reader033.vdocuments.us/reader033/viewer/2022060504/5f1d842c9464ad4ffe7b6bcb/html5/thumbnails/3.jpg)
3
Al has a lot of passwords...
iwantaponey17
mom32F!mfi1%$fmoe
1852424 correcthorsebatterystaple
Tr0ub4dor&3
![Page 4: Nathaniel McCallum Sr. Software Engineer - Security, Red Hatwebsso.github.io/files/webSSO_CIS.pdf · 10 Introducing... SSL/TLS Client Certificate Authentication PLUS: HTTP REST service](https://reader033.vdocuments.us/reader033/viewer/2022060504/5f1d842c9464ad4ffe7b6bcb/html5/thumbnails/4.jpg)
4
Al also has a lot of protocols...
SAML
OAuthOpenID
Kerberos Facebook Connect
BrowserID
![Page 5: Nathaniel McCallum Sr. Software Engineer - Security, Red Hatwebsso.github.io/files/webSSO_CIS.pdf · 10 Introducing... SSL/TLS Client Certificate Authentication PLUS: HTTP REST service](https://reader033.vdocuments.us/reader033/viewer/2022060504/5f1d842c9464ad4ffe7b6bcb/html5/thumbnails/5.jpg)
5
A story of protocol proliferation
1.His enterprise (Kerberos) ID is useless outside his company.
2.New Internet authentication standards don't provide SSO, are restricted to HTTP, complex to implement, have a bad security track record and lack usefulness in complex network topologies.
3.Secure sharing between data silos is an afterthought.
![Page 6: Nathaniel McCallum Sr. Software Engineer - Security, Red Hatwebsso.github.io/files/webSSO_CIS.pdf · 10 Introducing... SSL/TLS Client Certificate Authentication PLUS: HTTP REST service](https://reader033.vdocuments.us/reader033/viewer/2022060504/5f1d842c9464ad4ffe7b6bcb/html5/thumbnails/6.jpg)
6
Al needs...
an easy to deploy, secure, federated SSO experience
built on scalable, web-based technologies
that transcends local, Internet and cloud infrastructure,
manages trust relationships dynamically
across complex network topology,
and handles delegation as a primary concern.
![Page 7: Nathaniel McCallum Sr. Software Engineer - Security, Red Hatwebsso.github.io/files/webSSO_CIS.pdf · 10 Introducing... SSL/TLS Client Certificate Authentication PLUS: HTTP REST service](https://reader033.vdocuments.us/reader033/viewer/2022060504/5f1d842c9464ad4ffe7b6bcb/html5/thumbnails/7.jpg)
7
SSL/TLS Client Certificate Authentication
✔easy to deploy, secure, federated SSO experience
✔built on scalable, web-based technologies
✔ transcends local, Internet and cloud infrastructure
✗ manages trust relationships dynamically
✔works across complex network topology
✗ handles delegation as a primary concern
![Page 8: Nathaniel McCallum Sr. Software Engineer - Security, Red Hatwebsso.github.io/files/webSSO_CIS.pdf · 10 Introducing... SSL/TLS Client Certificate Authentication PLUS: HTTP REST service](https://reader033.vdocuments.us/reader033/viewer/2022060504/5f1d842c9464ad4ffe7b6bcb/html5/thumbnails/8.jpg)
8
Anatomy of a Typical Authorization System
Protected Resource
Client
Authentication Service
Requires AS to be publicly available
![Page 9: Nathaniel McCallum Sr. Software Engineer - Security, Red Hatwebsso.github.io/files/webSSO_CIS.pdf · 10 Introducing... SSL/TLS Client Certificate Authentication PLUS: HTTP REST service](https://reader033.vdocuments.us/reader033/viewer/2022060504/5f1d842c9464ad4ffe7b6bcb/html5/thumbnails/9.jpg)
9
Anatomy of TLS Client Certificate Authentication
Protected Resource
Client
Authentication Service
Manual Process
![Page 10: Nathaniel McCallum Sr. Software Engineer - Security, Red Hatwebsso.github.io/files/webSSO_CIS.pdf · 10 Introducing... SSL/TLS Client Certificate Authentication PLUS: HTTP REST service](https://reader033.vdocuments.us/reader033/viewer/2022060504/5f1d842c9464ad4ffe7b6bcb/html5/thumbnails/10.jpg)
10
Introducing...
SSL/TLS Client Certificate Authentication PLUS:
● HTTP REST service for obtaining short-term certificates with full support for secure credential delegation
● Additional security validations to permit globally unique identities via established certificate authorities
● Standard client behavior for a secure (a.k.a. no phishing), polished user experience
● DNS integration
![Page 11: Nathaniel McCallum Sr. Software Engineer - Security, Red Hatwebsso.github.io/files/webSSO_CIS.pdf · 10 Introducing... SSL/TLS Client Certificate Authentication PLUS: HTTP REST service](https://reader033.vdocuments.us/reader033/viewer/2022060504/5f1d842c9464ad4ffe7b6bcb/html5/thumbnails/11.jpg)
11
webSSO Authentication
✔easy to deploy, secure, federated SSO experience
✔built on scalable, web-based technologies
✔ transcends local, Internet and cloud infrastructure
✔manages trust relationships dynamically
✔works across complex network topology
✔handles delegation as a primary concern
![Page 12: Nathaniel McCallum Sr. Software Engineer - Security, Red Hatwebsso.github.io/files/webSSO_CIS.pdf · 10 Introducing... SSL/TLS Client Certificate Authentication PLUS: HTTP REST service](https://reader033.vdocuments.us/reader033/viewer/2022060504/5f1d842c9464ad4ffe7b6bcb/html5/thumbnails/12.jpg)
12
webSSO – Typical Workflow
Client connects to Protected
Resource
User enterscredentials
Client hasACGC?
Yes
No (webSSO)
Client locateswebSSO AS
via ACGC
ProtectedResource promptsfor client certificate
Client hascert?
Client presentscertificate
ClientAuthenticated!
Error!
No (Current Behavior)
NoYes
Client acquiresshort-term cert
Client locateswebSSO AS
via credentials
Client acquiresACGC
![Page 13: Nathaniel McCallum Sr. Software Engineer - Security, Red Hatwebsso.github.io/files/webSSO_CIS.pdf · 10 Introducing... SSL/TLS Client Certificate Authentication PLUS: HTTP REST service](https://reader033.vdocuments.us/reader033/viewer/2022060504/5f1d842c9464ad4ffe7b6bcb/html5/thumbnails/13.jpg)
13
webSSO – Additional Features
● Deploys on existing HTTP stacks
(dynamic trust mgmt. requires additional validations)
● Verifies all parties in every transaction
● Protected resources can suggest identity providers
● Integration with existing solutions
(Kerberos, multi-factor auth, etc)
![Page 14: Nathaniel McCallum Sr. Software Engineer - Security, Red Hatwebsso.github.io/files/webSSO_CIS.pdf · 10 Introducing... SSL/TLS Client Certificate Authentication PLUS: HTTP REST service](https://reader033.vdocuments.us/reader033/viewer/2022060504/5f1d842c9464ad4ffe7b6bcb/html5/thumbnails/14.jpg)
14
webSSO Status
● IETF Internet Draft
● User experience mock-ups
● Working webSSO AS implementation
(Apache 2.0 licensed; release imminent)
![Page 15: Nathaniel McCallum Sr. Software Engineer - Security, Red Hatwebsso.github.io/files/webSSO_CIS.pdf · 10 Introducing... SSL/TLS Client Certificate Authentication PLUS: HTTP REST service](https://reader033.vdocuments.us/reader033/viewer/2022060504/5f1d842c9464ad4ffe7b6bcb/html5/thumbnails/15.jpg)
15
http://webSSO.github.com