Fundamentals

Cards (27)

    1. Identity:
    • Refers to user information needed by an application.
    • Stored in data stores like LDAP or databases.
    • Examples: Active Directory in Microsoft data centers.
    1. Authentication:
    • Process of verifying the identity of a user or system.
    • Ensures access to the application based on verified identity.
    1. Authorization:
    • Granting or denying access to resources based on user identity.
    • Crucial for maintaining data security and access control.
    • Identity Provider (IdP):
    • Entity responsible for verifying and authenticating user identities.
    • Service Provider (SP):
    • System that provides services to users after authentication.
    • Token:
    • Data structure representing user authentication and authorization.
    • Assertion:
    • Statement regarding a user's identity or authorization.
    • SAML (Security Assertion Markup Language):
    • XML-based standard for exchanging authentication and authorization data.
    • Authentication:
    • Process of verifying the identity of a user or system.
    • Authorization:
    • Granting or denying access to resources based on user identity or attributes.
  • Authentication in a Web Application
    Web Application Structure:
    • Represents a conventional web application with a user accessing a service provider.
    • Identity Provider (manages user identities) and Service Provider (the application) are key components.
    • Service Provider interacts with an application data store, while Identity Provider controls the Identity database.
  • Identity Provider and Authentication:
    • Identity Provider: Manages user identities and performs authentication.
    • Authentication involves verifying credentials (username and password).
    • User information, including email, first name, last name, and credentials, resides in the Identity data store.
    • Service Provider initiates authentication by sending user credentials to the Identity Provider.
    • Identity Provider confirms authentication and provides user information back to the Service Provider for future use.
  • Authentication vs. Authorization:
    • Authentication: Validates the user's identity.
    • Authorization: Determines the user's access level within the application based on roles or groups.
    • Authentication is the responsibility of the Identity Provider.
    • Authorization falls under the purview of the Service Provider.
  • Components and Terms:
    • Credentials: Typically include a user ID and password but can extend to various authentication mechanisms.
    • User Agent (Browser): Plays a crucial role in redirecting requests between data centers.
  • Roles of Identity Provider and Service Provider:
    • Identity Provider: Focuses on authentication, ensuring the user is who they claim to be.
    • Service Provider: Emphasizes authorization, deciding what functionalities a user can access based on roles or groups.
  • Example Identity Providers(IdP):
    • Google Identity Platform: Allows users to sign in with their Google accounts, providing authentication and authorization services.
    • Microsoft Azure Active Directory (Azure AD): A cloud-based identity and access management service from Microsoft that supports single sign-on (SSO) and multi-factor authentication.
    • Auth0: A flexible and extensible identity platform that allows developers to add authentication and authorization to their applications.
  • Service Providers (SPs)
    • Are entities that rely on Identity Providers (IdPs) to authenticate and authorize users. They consume identity information from IdPs to grant access to their services. Here are some examples of Service Providers:
    1. Netflix: Users can log in using their credentials provided by an Identity Provider to access streaming services.
    2. Dropbox: Allows users to sign in using their IdP credentials to access and manage their files stored in the cloud.
  • Homegrown Security Architecture:
    • Common in the 1990s, where application teams managed both application data and user identities.
    • Identity data store and application data store were integrated, burdening the application team with authentication and authorization tasks.
    • Downsides include multiple identity stores for different applications and security risks associated with user credentials exposure.
    • Not recommended due to its inefficiency and security concerns.
  • LDAP Identity Provider Architecture:
    • LDAP Identity Provider, often Microsoft Active Directory (AD), serves as the centralized identity store.
    • Authentication is handled by the LDAP Identity Provider, and Authorization remains the responsibility of the application.
    • Architecture suitable for applications within the enterprise but faces challenges when applications are deployed in external cloud environments.
    • User credentials are still sent to the application, posing security risks.
  • LDAP Identity Provider Architecture Details:
    • User sends credentials to the application provider.
    • Application provider makes an LDAP call to the LDAP Identity Provider for authentication, using the LDAP protocol over TCP.
    • LDAP Identity Provider verifies user identity with the data store.
    • Authorization remains under the control of the application.
  • Downsides of LDAP Identity Provider Architecture:
    1. External Application Access: Applications in external cloud environments may face challenges accessing the LDAP Identity Provider directly due to security restrictions.
    2. Credential Exposure: User credentials are still sent to the application, posing security risks.
  • Challenges in External Deployment:
    • Applications deployed in Amazon AWS, Google Cloud, or Microsoft Azure cannot directly access the LDAP Identity Provider within the enterprise.
    • Firewall and security measures restrict external access to the Active Directory, creating authentication challenges.
    Transition to a New Architecture:
    • Due to downsides in the LDAP Identity Provider architecture, a new approach using SAML (Security Assertion Markup Language)
  • LDAP Disadvantages:
    1. Data Center Dependency: LDAP needs to be in the same data center as the application, limiting its suitability for cloud applications.
    2. Manual Credential Entry: Users have to manually enter credentials, posing a potential security risk.
  • SAML Addressing LDAP Disadvantages:
    • Diagram illustrates SAML's technique for authenticating across data centers.
    • Web Application 1 and Web Application 2 in different data centers.
    • Security measures prevent direct calls between data centers.
    • SAML leverages HTTP 302 redirects and the user agent (browser) for communication.
  • HTTP Redirects in SAML:
    1. User initiates an HTTP request directed at Web Application 1.
    2. Web Application 1 triggers the user agent to redirect the request to Web Application 2.
    3. Redirection can traverse multiple processes within Web Application 2 as needed.
    4. Upon readiness to transmit data back to Web Application 1, the redirect mechanism is employed from web 2 to web app 1.
  • SAML Solving Manual Credential Entry:
    • Capitalizing on the user's presence in the corporate network, typically integrated with LDAP (often Active Directory).
    • SAML Identity Provider identifies the user sending the request as one already authenticated in the corporate network.
    • User information is passes back to the application without necessitating additional manual credential input.
    • Substantially enhances user experience by eliminating the need for manual credential entry.
  • Advantages of SAML:
    1. Cross-Data Center Communication:
    • Achieved through the ingenious use of HTTP redirects.
    • Facilitates effective communication between applications situated in different data centers.
    1. Credential-Free Authentication:
    • Leverages the user's existing authentication in the corporate network.
    • Eliminates the requirement for users to manually input credentials.
  • Overview of SAML in Architecture:
    • Diagram represents the application and application data store in a separate cloud data center.
    • Direct connection between the application and SAML Identity Provider is avoided for security reasons.
    • SAML Identity Provider, LDAP database, and user agent (browser) typically share the same corporate data center.
    • LDAP Identity store maintains user identity, and ADFS (SAML Identity Provider) handles Authentication.\
  • Flow of SAML Requests:
    1. User Initiated Request:
    • User sends an initial request to the application.
    • Application, detecting an unauthenticated state, redirects the request to the SAML Identity Provider via the user agent.
    1. SAML Metadata Exchange:
    • Establishment of trust between SAML Identity Provider and Service Provider involves exchanging SAML metadata.
    • Metadata includes information required for Authentication, encryption, and signatures.
  • Flow of SAML Requests:
    3. User Agent Redirects to Identity Provider:
    • User agent facilitates HTTP redirects, sending the request to the SAML Identity Provider.
    • This is a multi-step redirection process initiated by the application.
    • 4. SAML Identity Provider Authentication:
    • SAML Identity Provider recognizes the logged-in user, authenticates them, and redirects a response back to the SAML Service Provider.
    • SAML claims, including user attributes, are part of the response.
  • Flow of SAML Requests:
    5. Application Processing SAML Response:
    • SAML Service Provider receives the response, extracts user information from SAML claims, and proceeds with application-specific actions.
    • SAML token within the response contains crucial information about the user.
  • SAML
    Importance of User Agent (Browser):
    • Browser is vital for HTTP redirects, a core component of SAML flows.
    • Browser's role is crucial in orchestrating the redirection sequence between the application and SAML Identity Provider.
    Trust in SAML:
    • Trust is established through the exchange of SAML metadata.
    • SAML Identity Provider and Service Provider need each other's certificates to validate responses and maintain secure communication.
  • SAML
    SAML Response Contents:
    • SAML response is encrypted and signed by the SAML Identity Provider.
    • SAML token within the response contains claims (attributes) of the user.
    • Federated user concept: Same Identity used across multiple applications in different data centers.
    Single Sign-On (SSO) and HTTP Redirect:
    • Significance of single sign-on for user experience.
    • HTTP redirect is a critical mechanism in SAML flows, and the browser's role is paramount.
  • Challenges Addressed by SAML:
    • SAML efficiently addresses challenges related to multiple cloud environments and provides seamless single sign-on.
    • Offers federated user experience with a centralized Identity.
  • There is a "Trust" between the SAML Identity Provider and SAML Service Provider. This has to be Established before login takes place. This trust enables the providers to understand the SAML requests and response.