Federation of identities: principles and dangers

Federation of identities: principles and dangers

Recently, a presentation from the "Troopers" conference on the principles and dangers of identity federation has been posted online.

This presentation, which details the basic principles of federation through the various existing protocol mechanisms, concludes with a discussion of the dangers that federation can entail if poorly implemented.

The presenter, Dominick Baier, is a security consultant at ThinkLecture. He specializes in access and identity management for distributed applications using Microsoft technologies.

[youtube]https://www.youtube.com/watch?v=PGrL0pxkyXk[/youtube]

Things to remember :

Technical issues :

  • Complex protocols
    • Avoid implementing them yourself.
    • Favoring the use of reliable, reputable products or dedicated libraries.
  • Identity federation a popular target
    • The principle allows access to multiple resources from a single pair of credentials
    • Open redirection opens the way to phishing.
    • Control redirects with tokens to avoid CSRF vulnerabilities.
  • In most implementations, the browser is the gateway to the
    • Known and unknown attacks on browsers can corrupt a federation implementation.
    • Tools such as "SSLStrip" can be used for federation exchanges, and additional encryption of assertions is recommended.
    • The use of web services generally enhances overall security through strict security policies.

Identity federation is beneficial:

  • Reduction in the number of credentials (especially those considered weak).
  • Improved user experience in the "login" phase
  • Remove/reduce authentication code in applications.
  • Isolation of code relating to complex security mechanisms.
  • Eliminates friction in B2B scenarios.
  • Fully cloud-compatible mechanism.

The presentation slides can be obtained here.

SYNETIS consultants provide consultancy, expertise and implementation services for identity federation solutions from leading vendors such as PingIdentity, ForgeRock and ILEX. Please do not hesitate to contact us for further information.

Sources & Resources:

Yann

Security Consultant

Tags : , , , , , , , , , , , , , , , ,
  • Post published:May 14, 2014
  • Author of the publication :

Yann CAM

Security Consultant