SAML vs OpenID: soyons pragmatique et non dogmatique!

OpenID ou SAML ?

Après réflexion, soyons pragmatique et non dogmatique!

Comme le dit Pascal Thoniel:

"Pour moi ce sera OpenID et SAML. J’ai tout simplement besoin des deux pour mener une vie épanouie sur Internet ..."

Effectivement les systèmes d'authentification doivent être agnostique. Ils doivent supporter les deux approches. C'est aussi l'avis de Jason Hart (Senior Vice President CRYPTOCard).

Dans ce sens je vous recommande cet article de Jason sur la fédération des identités.

Jason propose aussi un Blog sur l'authentification forte. Très bonne source d'information.

Bonne lecture

Federated Identity by Jason Hart

There is an increasing buzz around federated ID, specifically if it will really work, and what benefits it will bring. Let’s start by defining what federated ID is. Essentially it is single sign-on, creating a digital identity for one person that replicates across, and is recognised by, multiple domains. This provides the ability for an individual to sign on once and access a smorgasbord of tools across multiple parties – internally and externally.

Benefits of federated ID

We each have numerous logins and passwords for various corporate, personal and third party domains. The increasing number of domains we access is compounding the problem of time spent logging in, forgotten passwords and the risk of hacking. When do we reach login-point saturation? Some would say several years ago. Federated ID takes multiple user authentication points away from the user and manages these electronically behind the scenes, requiring just one login point for the user. Specifically, the advent of cloud based solutions has brought the potential for federated ID to the forefront in terms of readiness, cost and accessibility.

SAML-enabled federation

Federated ID is made possible with SAML (Security Assertion Markup Language) which offers a way of communicating identity, attributes and entitlements of an individual to multiple parties, internally and externally, based upon agreements between these parties. Crucially, each party’s identity management process is hidden from the others, thereby ensuring confidentiality at each point. For example a corporate user could access their VPN and Salesforce.com with one login.

Securing federated identities

It is commonly recognised that passwords are the weakest link in IT security systems and policies – guess or hack the password and you’re in, without detection as you appear to be a known, trusted individual. Federated ID reduces this risk by eliminating the need for multiple passwords. However, if one password grants access to multiple applications the damage from hacking that one password is significant. The obvious way to mitigate this risk is to implement two-factor authentication providing a one time password for optimum security. With this level of security, federated ID not only increases ease of access, but cross-party security and adherence to compliance too.

Cloud based solutions - extending federated ID to consumers

Cloud based solutions enable an open platform for federated ID across not just corporate domains, but personal domains too. But again, this is where the risk of hacking increases – with users recycling the same password across corporate and personal domains. With an open platform, authentication can also be applied across personal domains. Whilst employers probably don’t care if their employee’s personal web and transactional accounts are hacked, the employee certainly does. Federated ID in the cloud enables a user to either take their company issued authentication token, or purchase their own token from personal domains such as Hotmail, PayPal, Amazon or their bank, and map it across all of these domains, and/or their corporate domain.

Will federated ID ever take off?

The benefits of federated ID are obvious, and will be implemented, indeed the technology is already exists to enable it, but to what extent and pace it is implemented remains to be seen. The key is not to be confused by complexity of implementation and costs, which can be kept to a minimum when employing cloud based solutions.

Jason Hart

--------------------------------
Jason Hart Bio:

As a former ethical hacker with seventeen years experience in the Information Security industry, Jason has used his knowledge and expertise to create technologies that ensure organisations stay one step ahead of the security game. Jason continues to raise the profile of Information Security risks and solutions, including the introduction of the term CSO (Chef Security Officer) within business.

Jason has published articles and white papers and has appeared on BBC, ITV, CNN, and CNBC as well as Radio 5 and BBC World News. His expertise has been cited in Time, SC, InfoSec, Computing and Computer Weekly magazines and in the FT, Guardian, Times and Evening Standard.

Prior to CRYPTOCard, Jason held senior positions within a number of organizations, including Ernst & Young's Information Security Assurance and Advisory Services practice. Jason has created and developed entire security frameworks as well as Information Security Assessment Methodology. Clients have included NHS, Government, as well as a large number of FTSE 100 organizations.