Secure Identity Management

References

Queue

Stakeholders

  Intranet
Applications		 Internet
Applications
Private
(Employees)		 Zimbra
CS		 SilkRoad
Aetna
Protected
(Partners)		 n/a Basecamp
Google Docs
Public
(Anyone)		 n/a www.wested.org
www.simscientists.com

Glossary

One-way Trust vs. Two-way Trust

One-way trust Users from Site A can use Site B. Users from Site B cannot access Site A.
Two-way trust Users from Site A can use Site B, and vice versa.

Trusted vs. Trusting

Trusted site The site that does the authentication.
Trusting site The site that allows access to users from a trusted domain.

Transitive Trust vs. Intransitive Trust

Transitive Trust If Site A trusts Site B, and Site B trusts Site C, then Site A will automatically trust Site C. Conceptually this is like creating a chain of trust.
Intransitive Trust If Site A trusts Site B, and Site B trusts Site C, then Site A will not automatically trust Site C.

Active Directory

Active Directory
Active Directory is a Microsoft technology that provides network services, including LDAP-like directory services, Kerberos-based authentication, DNS-based naming, centralized network administration, some single sign-on, and user account synchronization.
Active Directory Domain Services (AD DS)
AD DS is the central location for configuration information, authentication requests, and information about all of the objects (users, groups, computers, applications) that are stored within your forest.
Active Directory Rights Management Services (AD RMS)
AD RMS can protect a file by identifying the rights that a user has to the file. Rights can be configured to allow a user to open, modify, print, forward, or take other actions with the rights-managed information.
Active Directory Federation Services (AD FS)
Authenticate users from partner organizations. Grant external users access to your organization’s domain resources. AD FS can also simplify integration between untrusted resources and domain resources within your own organization.
Active Directory Certificate Services (AD CS)
AD CS binds the identity of a person, device, or service to a private key. Storing the certificate and private key within Active Directory helps securely protect the identity, and Active Directory becomes the centralized location for retrieving the appropriate information when an application places a request.
Active Directory Lightweight Directory Services (AD LDS)
A light-weight implementation of Active Directory, including an identical API, but without the need to create domains or domain controllers. AD LDS can be used in conjunction with AD DS so that you can have a central location for security accounts (AD DS) and another location to support the application configuration and directory data (AD LDS).

Glossary

Higgins project by Eclipse Foundation
?
Geneva software by Microsoft
Microsoft's code-name "Geneva Framework" is really Windows Identity Foundation, and "Geneva Server" is Active Directory Federation Services 2.0.
Identity Metasystem Interoperability Version 1.0
Developed by Organization for the Advancement of Structured Information Standards. For levels of assurance 1 through 3 as defined by NIST Publication 800-63.
Information Card Architectures (ICAs) aka Info Cards
E.g. a swipe card. Provides phishing-resistant authentication. Microsoft is publishing information card software called "Geneva".
OpenID
OpenID gives you a username and password that you can use on many popular websites. For example, you can get an OpenID username and password from Yahoo.com. Now when you go to Flickr.com, you can choose to sign in with your Yahoo OpenID. Flickr will automatically connect you to Yahoo, where you sign in, and then you can use Flickr.
OAuth
OAuth enables you to permit one website to connect to another website. For example, you can have an account on Twitter for your news and an account on Flickr for your photos. You can use OAuth to connect Flickr to Twitter, so you can easily share your photos on Twitter. Twitter will redirect you to Flickr which will ask you "Twitter wants to access your Flickr photos. Ok?”, and then back to Twitter.
User-Centric Identity Framework (UCIF)
E.g. sign in with a username and password
AuthSub
From Google: AuthSub is an authentication proxy service that allows your web applications to get access to Google Apps services (such as Calendar, DocList, and Spreadsheets APIs) without having to handle the user's account login information directly.
Keys to the Kingdom
This problem: if you use a single credential, and it gets lost or stolen, it unlocks everything.
OAuth
From Google: OAuth is a web application authentication mechanism similar to AuthSub, but it is a standard which several companies have adopted. For more information on OAuth, please visit http://code.google.com/apis/accounts/docs/OAuth.html
Public Key Infrastructure (PKI)
TODO
DN: Distinguished Name
The LDAP attribute that uniquely defines an object. Each DN must have a different name and location from all other objects in Active Directory. The DN provides a way of selecting any object in a directory. Components include CN (common name), DC (domain content), OU (organizational unit), etc.
Shibboleth federation software
Identity provider created by Internet2.edu for higher education federations. Will support OpenId and id cards.
YADIS
YADIS defines a simple format for declaring multiple identities, potentially using multiple different protocols.

Questions

OpenId Issues

Can an Active Directory be used as a OpenID provider?
From http://stackoverflow.com/questions/2453769/active-directory-as-openid-provider Yes, you can. Just host an ASP.NET web site that itself uses Active Directory authentication, and exposes an OpenID Provider using DotNetOpenAuth.
Can Active Directory interoperate with Unix?
http://en.wikipedia.org/wiki/Active_Directory

Varying levels of interoperability are possible:

  • Using standards compliant LDAP clients (but these systems may lack some features of AD).
  • Third-party vendors who offer Active Directory integration for Unix platforms, include Centrify (DirectControl), Computer Associates (UNAB), CyberSafe Limited (TrustBroker), Likewise Software (Open or Enterprise), Quest Software (Authentication Services) and Thursby Software Systems (ADmitMac).
  • Open source Samba software provides a way to interface with Active Directory and join the AD domain to provide authentication and authorization
  • Microsoft Windows Services for UNIX product.
  • Peer-to-Peer using 389 Directory Server (formerly Fedora Directory Server) or Java System Directory Server, which can perform a two-way synchronization with Active Directory and thus provide a "deflected" integration with Active Directory as Unix and Linux clients will authenticate to FDS and Windows Clients will authenticate to Active Directory.
Redirection vs. Cookies
http://stackoverflow.com/questions/22015/openid-as-a-single-sign-on-option

Seamlessly logging in with OpenID requires automatic (unverified) redirection between domains.

That makes the OpenID server a 3rd party. This can cause cookies for the OpenID server to be rejected if you turn off 3rd party cookies and your browser strictly follows the Unverifiable Transactions rule in 3.3.6 of RFC2965.

An example of this is Opera. If you turn off 3rd party cookies (by setting the global to "Accept only cookies from the site I visit"), you can't log in with OpenID because the server script you submit to automatically (without your interaction to approve it) redirects you to the OpenID server and the OpenID server does the same to get you back.

But, you get lucky in Firefox, IE and Safari with their corresponding blocking of 3rd party cookies because they violate RFC2965 in multiple situations.

Having to use OpenID in this case does a disservice to more compliant clients.

As a workaround, in Opera, besides accepting all cookeis, you can goto tools -> preferences -> advanced -> Network and turn off Automatic Redirection. Then, you'll be able to verify and click each link you're redirected to and the cookies won't be rejected because the transactions are verified.

It should also work if you keep Automatic Redirection on and both servers generate a page with a link for you to click on so you can verify the transaction. But, there can't be any automatic redirects anywhere.

Logging in with just a username and password where you're only dealing with first party cookies would be much better in this case.

OpenID is still cool though and I guess Opera just needs an option to allow unverifiable transactions between SO and your OpenID server so that you can use "Accept only cookies from the sit


OpenId Outsource Providers

From http://openidexplained.com/get

Name Ease of use Security Remembers information Multiple profiles Anti-phishing measures Password protected
AOL/AIM 3 4 Yes
Blogger 9 4 Yes
ClaimID 9 4 Yes Yes
GetOpenID 7 4 Yes
Google 7 4 Yes Yes
LiveJournal 9 1 Yes
MyOpenID 8 9 Yes Yes Yes Yes
MySpace 6 1 Yes
Sxipper 7 8 Yes Yes Yes Yes
VeriSign 7 7 Yes Yes Yes
Vidoop 8 4 Yes Yes Yes
WordPress 5 1 Yes Yes Yes
Yahoo! 10 4 Yes Yes


Discussion

What is LDAP?

LDAP is really just a database-access protocol, with security and distributed-system features built in. I believe RFC 3377 is the most recent relevant standard. Most LDAP directories are used to keep track of people; therefore there is an InternetOrgPerson type which (if I remember rightly) has the following attributes by default:

However, LDAP types are extensible, so you could create a new type to represent employees, inventory, or even projects, or you could extend an existing type. For instance, you might want to add some of the following to InternetOrgPerson (if they're not already there):

It's even possible to use an SQL or legacy-system database as a backend for OpenLDAP with some custom coding, although I'm sure a lot of people who use it don't bother. So that's what's in the directory. You might still ask, "what is it used for?"

Firstly, Windows, Netware, Solaris and Linux can all be told to get their login information from an LDAP directory. This means that (if it works) someone only needs one account in an organization, that their Windows password is automatically the same as their Unix password, etc. It does not mean that they need to use the same home directory on all systems; but home directories can be automatically created by login scripts. NIS+ was a Unix-only way to distribute just the information found in /etc/passwd; LDAP is cross-platform.

Secondly, some E-mail clients (specifically Netscape, its derivatives, and Outlook; I don't have experience to speak for others) can treat an LDAP directory as an extension of the address-book. That sure beats running down the hall and referring to a printed list every time you want to e-mail someone or call them on the phone and only remember their name.

Book Reviews: Deploying OpenLDAP

http://news.slashdot.org/story/05/03/14/1945218/Deploying-OpenLDAP

Overall, I would say that I left this book with little new information. People that are just now installing OpenLDAP may find the book beneficial, but I really didn't see any material that stood out. My personal belief is that this "Deploying OpenLDAP" needs to provide far more troubleshooting and example deployment scenarios and less regurgitation of manpages and HOWTOs

Novell eDirectory

http://linux.slashdot.org/comments.pl?sid=150730&cid=12641664

Novell eDirectory (formerly NDS) is a technically brilliant tour de force. It's a really amazing package; multimaster replication; multimaster schema changes; extremely efficient over slow links, unbelieveably secure (and has some really sophisicated extensible authentication systems), works on every platform under the sun, the APIs & developer tools are extremely mature, scales like crazy and runs super-fast, and like the previous poster said, it's CHEAP.

Anything else, to me, is a weak imitation--but I guess as long as your directory speaks LDAP all is well. Unless it's Active Directory--which is really just a set of "nested" domains with automated trust relationships. And that part makes it a huge pain in the ass to maintain. (The trick to this is to throw an AD domain into eDirectory and have eDirectory manage the whole thing - it is so flexible it can manage _other directories._)

Novell eDirectory comparison

http://linux.slashdot.org/comments.pl?sid=150730&cid=12642794

In many ways eDirectory is far more sophisticated. It is more close to a true X500 directory and it has some very sophisticated tools for data replication and management. The admin console is streets ahead of the old Netscape Java Console for starters and the APIs are very well developed. It is very easy do do operations such as prune and graft on the Novell Directory than on the typical standalone LDAP directories (Open LDAP, SUN ONE) where you have to essentially delete and recreate the entry rather than just modify the base DN.

One key differentiator is replication strategy. eDirectory and Microsoft AD are genuine multi-master directories, you can configure them to accept updates anywhere and the data then replicates among the cloud of replicated servers. Open LDAP and Netscape's LDAP are have pyramid structure replication, you update a master, it updates slaves and these can update further consumer servers. This approach can have some advantages if you want to secure updates and be able to take a consistent snapshot of your data at a particular point in time.

IBM LDAP Server is free

http://linux.slashdot.org/comments.pl?sid=150730&cid=12642734

IBM has licensed its enterprise-class LDAP directory server software free of charge for over 5 years now. It's currently under the Tivoli brand, going as the IBM Tivoli Directory Server v6.0.

Not only does it pack all the bells and whistles of other enterprise LDAP directories, such as multimaster and cascaded replication models, but instead of flat files it *includes* IBM DB2 UDB enterprise edition database (also licensed free of charge) for its data storage. I've seen the comparative test results, and nothing touches this solution for performance and scalability.

It runs on just about anything, too...including Linux on non-x86 hardware.

LDAP Samba 4 is not very realistic

http://tech.slashdot.org/comments.pl?sid=1096387&cid=26514321

Honestly, I cannot imagine why anyone would want to run a FOSS equivalent Active Directory. After having spent months in setting up a full mixed Windows/Linux environment (OpenLDAP, Kerberos, Samba, the works), I can say that setting up AD is a breeze: for me, it is a prime example where Microsoft took existing technologies (LDAP, DNS, Kerberos) and actually turned it into something useful without the typically associated configuration nightmares. And it works very stable indeed.

And please, cost is not a reason for not going with Active Directory. The cost of a single Windows Server license is absolutely peanuts compared to what *you* cost your employer. The operational costs are what matter in long term and I am pretty confident that Microsoft's AD will do much better than that for the years to come.

Re: LDAP Samba 4 is not very realistic

http://tech.slashdot.org/comments.pl?sid=1096387&cid=26515399

The costs for AD/Exchange, etc. pale in comparison to the administrative salary costs associated with supporting an IT infrastructure and the lost productivity costs of down time.

I've found Samba in a Domain environment to be kind of flaky, and while it's useful for accessing the file system on a Linux server (though I prefer scp) there's no way I would look at replacing any Windows file server that had an SLA with a Samba server. The licensing costs for a Windows server (especially virtualized) are negligible.

On the other hand, there's still no great solution for something similar to AD on Linux. NIS+ is old and sucks. Going through the whole LDAP rigmarole only gets you part of the way and requires a hell of a lot of upkeep depending on the server. Winbind against AD isn't bad though again it's flaky and requires way too much work to setup. I supposed there's the tried and true method of rsync-ing passwd, group and shadow files around.

The combo of AD and Group Policy is pretty killer, It would be really nice to see something similar for Linux, or at the very least improved AD integration would be awesome.

LDAP on its own is not enough

http://linux.slashdot.org/comments.pl?sid=195677&cid=16033842

Really, you need to add kerberos to the mix, especially the heimdall kerberos implementation is attractive, since it allows you to store its settings inside the ldap tree, providing a true centralised secure single signon enviroment.

Using ldap itself is really not much better than using NIS, aside from the fact that it can contain much more than just the user database.


What's Next?

blog comments powered by Disqus