Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Beginner's Guide to Alternative Authentication

Chris Cornutt
February 20, 2015

The Beginner's Guide to Alternative Authentication

It's pretty common for developers to go with the same kinds of authentication handling when they're creating their applications with permissions and groups. Unfortunately, as applications grow in side an interact with other systems, this kind of system sags under the weight of its own technical debt. Follow along with me as I talk about some alternatives to the typical RBAC authorization including attribute-based, multifactor, pattern-based and federated identity providers.

Chris Cornutt

February 20, 2015
Tweet

More Decks by Chris Cornutt

Other Decks in Technology

Transcript

  1. <Policy PolicyId="SamplePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> <!-- This Policy only applies to requests

    on the SampleServer --> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SampleServer</AttributeValue> <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/> </ResourceMatch> </Resources> <Actions> <AnyAction/> </Actions> </Target> <!-- Rule to see if we should allow the Subject to login --> <Rule RuleId="LoginRule" Effect="Permit"> <!-- Only use this Rule if the action is login --> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">login</AttributeValue> <ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="ServerAction"/> </ActionMatch> </Actions> </Target> <!-- Only allow logins from 9am to 5pm --> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal" <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</AttributeValue> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal" <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</AttributeValue> </Apply> </Condition> </Rule> <!-- We could include other Rules for different actions here --> <!-- A final, "fall-through" Rule that always Denies --> <Rule RuleId="FinalRule" Effect="Deny"/> </Policy>
  2. SAML Security Assertion Markup Langauge Assertions Statements used in IdP

    decisions Protocols How elements are packaged Bindings Mapping of protocol to standard format Profiles Combines assertions, protocols and bindings
  3. SAML Security Assertion Markup Langauge Authentication Context Schemas Intranet, MobileTwoFactor,

    PublicKey, SSL/TLS Certificate, etc. Identification information How “secret” is defined
  4. So, which to use? Level of protection needed Current systems

    and integration Defense in depth Risk (Frequency, Probability, Cost) Don’t have to pick just one…