Full Program »
T6. Authentication & Authorization Standards for the Cloud
Tuesday, 10 December 2013
08:30 - 12:00
DH Holmes B
This course aims to introduce different technologies available for single sign on and federated identity in cloud environments. We also cover existing and emerging authorization technologies in the cloud. Specifically, we will look at OAuth 2.0 as a lightweight approach for authorization for RESTful services and application. We review through some use cases what benefits it provides and how it can be integrated with other technologies like SAML 2.0 to provide integration, federation and interoperability in cloud computing environments. We will also introduce the System for Cross-domain Identity Management (SCIM) specification which is an ongoing effort designed to make managing user identity in cloud based applications and services easier. Then, we cover the IEEE Standard for Intercloud Interoperability and Federation (SIIF) which is an ongoing effort for cloud-to-cloud interoperability and federation. Finally we will look at efforts undertaken by government agencies regarding authentication and authorization in the cloud.
Prerequisites. No specific prerequisite is required. Being familiar with general security concepts, authentication, and authorization is enough.
Single Sign On (SSO) Technologies for cloud computing (20 min)
An introduction to various SSO technologies that are being used or are emerging as de facto standard will be provided.
The Security Assertion Markup Language (SAML) 2.0 (20 min)
SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. A high-level overview of SAML will be given followed by a technical introduction to SAML concepts and capabilities.
The OAuth 2.0 Authorization Framework & Use Cases (30 min)
The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. An overview of the OAuth 2.0 is given with details of various flows and a comparison between flows. We will also discuss some OAuth use cases to show its applicability in real world and demonstrate how enterprises can use OAuth for authorization and how to choose the best flow based on scenarios.
SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 and its integration with OAuth 2.0 (30 min)
We discuss the use of a SAML 2.0 Bearer Assertion as a means for requesting an OAuth 2.0 access token as well as for use as a means of client authentication. We will also discuss how to use SAML and OAuth 2.0 together to achieve best integration and management simplicity in identity and policy domains.
System for Cross-domain Identity Management (SCIM) (30 min)
The System for Cross-domain Identity Management (SCIM) specification is designed to make managing user identity in cloud based applications and services easier. The specification suite seeks to build upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. An overview of the specification will be given along with benefits it provides and some use cases. We will also discuss in detail how to bind the System for Cross-domain Identity Management (SCIM) schema to the Security Assertion Markup Language (SAML).
IEEE Standard for Intercloud Interoperability and Federation (SIIF) (20 min)
This standard defines topology, functions, and governance for cloud-to-cloud interoperability and federation. Topological elements include clouds, roots, exchanges (which mediate governance between clouds), and gateways (which mediate data exchange between clouds). Functional elements include name spaces, presence, messaging, resource ontologies (including standardized units of measurement), and trust infrastructure. Governance elements include registration, geo-independence, trust anchor, and potentially compliance and audit.
Government efforts (30 min)
We briefly review the cloud authentication & authorization approaches recommended by various agencies such as the Federal Risk and Authorization Management Program (FedRAMP), DoD's Cloud Computing Strategy and NIST's Guidelines on Security and Privacy in Public Cloud Computing.
About the Instructor:
Dr. Hassan Takabi is an Assistant Professor in the Department of Computer Science and Engineering and member of the Center for Information and Computer Security (CICS) at the University of North Texas. He received his PhD from the University of Pittsburgh and his research interests include access control models, trust management, privacy enhancing technologies, usable security and privacy, and security, privacy, and trust issues in cloud computing environments and online social networks. He is member of IEEE and the ACM.