sp c-final

Size: px

Start display at page:

Download "sp c-final"

きみえなぐも
7 years ago
Views:

1 NIST SP C - Federation and Assertions - Nov Matake

2 Nov Matake OpenID Foundation Japan WG #idcon OAuth.jp YAuth.jp LLC

4 Federation Assurance Level (FAL) Federation Assurance Level Federation Assertion / Artifact Lv.1 Assertion Lv.2 Lv1 RP Assertion Lv.3 Lv.2 Holder-of-Key Assertion (Proof-of-Posession) Subscriber Assertion

5 Terms Approved Cryptography FIPS or NIST Recommendation / Assertion / Assertion IdP Authentication Event Subscriber Attribute e.g., OIDC ID Token / SAML Assertion Assertion Reference (Artifact) e.g., Authorization Code / SAML Artifact ref.) Appendix A

6 Terms Attribute Value e.g., Attribute Reference (Attribute Claim) (?) e.g., 18, 12 Pairwise Pseudonymous Identifier (PPID) IdP-RP ref.) Appendix A

8 FAL

9 800-63C FAL

10 Requirements for FAL 1-3 FAL Assertion Signing Encryption Lv.1 Bearer Required Not Required Lv.2 Bearer Required Required Lv.3 Holder-of-Key Required Required

11 (FAL )

12 Section Name Normative/Informative 1. Purpose Informative 2. Introduction Informative 3. Definitions and Abbreviations Informative 4. Federation Assurance Level (FAL) Normative 5. Federation Normative 6. Assertion Normative 7. Assertion Presentation Normative 8. Security Informative 9. Privacy Considerations Informative 10. Usability Considerations Informative 11. Examples Informative 12. References Informative

13 4. FAL FAL1-3 Key Management IdP RP RP IdP RP Runtime Decisions White List / Black List / Gray List / RP /

14 5. Federation Manual Registration Dynamic Registration Federation Authority Trust Framework Provider Authority Proxied Federation IdP RP Proxy (Broker)

15 Manual Reg. v.s. Dynamic Reg. Manual Registration White List White Listed RP Dynamic Registration White List

16 Federation Authority

17 Proxied Federation IdP RP IdP PPID Proxy IdP RP IdP RP

18 6. Assertion Common Metadata Subject, Issuer, Audience,,, etc. IAL AAL Assertion Bindings Bearer Holder-of-Key (Proof-of-Possession) Assertion Protection,, Audience Restriction, PPID etc.

19 Bearer v.s. Holder-of-Key

20 Bearer v.s. Holder-of-Key

21 Holder-of-Key [RFC 7800] Proof-of-Possession Key Semantics for JWTs [draft] OpenID Connect Token Bound Authentication SAML V2.0 Holder-of-Key Web Browser SSO Profile

22 7. Assertion Presentation Back-Channel Presentation Assertion Reference (Artifact) Back-Channel Artifact Assertion e.g.,) OpenID Connect Code Flow Front-Channel Presentation Assertion e.g.,) OpenID Connect Implicit Flow

23 Back-Channel Presentation

24 Back-Channel Presentation Assertion Reference RP RP Authentication Channel Authenticated Protected Channel (e.g., TLS)

25 Front-Channel Presentation

26 Front-Channel Presentation Assertion (= FAL2 ) OpenID Connect Implicit Flow Channel Authenticated Protected Channel (e.g., TLS)

27 Protecting Information Authenticated Protected Channel (e.g., TLS) IdP <-> RP IdP <-> End-User RP <-> End-User API Attribute UserInfo API Attribute Reference 18

28 OpenID Connect / SAML

29 OpenID Connect SAML Profile

30 63C

PowerPoint プレゼンテーション

PowerPoint プレゼンテーション Room D Azure Active Directory によるクラウドアプリ連携編 ~ Password Windows Intune Password Windows Intune デスクトップ PC(Windows) に対するガバナンス Azure Active Directory World SaaS Windows Server Active Directory World 業務データ