(2) Federated ID Tech Flashcards
What is Security Assertion Markup Language (SAML)?
SAML is based on XML, it sends authentication and authorization data between ID providers and service providers
What does Security Assertion Markup Language (SAML) do?
SAML enables authorization, authentication and attribute decision statement trading
What does Security Assertion Markup Language (SAML) allow ID providers to do?
SAML allows ID providers to make assertions about principals to service providers so that they can choose to let a user login or not
What is Active Directory Federation Services (AD FS)?
AD FS is the Microsoft response to federation. ADFS does this:
It sends auth and ID info as claims to third party sites.
The sites use trust policies to match the claims to claims that are supported by a service, and then uses those claims to make auth decisions
Describe the process that ADFS uses when a user tries to login
The user first tries to get in touch with the ADFS capable web app that a resource partner hosts
The ADFS web agent on the partner’s web server checks for an ADFS compatible cookie. If the cookie is there, they are in! If not, the user then has to talk to the ADFS server
The resource partner ADFS does a check for the SAML token that the account partner must have. If it isn’t there, the ADFS performs home realm discovery.
Home realm discovery figures out the ID of the federation server that has to do with the user and then performs authentication of that user in the home realm
The partner then gives the security token that has the ID info in the form of claims, and sends the user back to the ADFS of the resource partner
Normal validation occurs and then uses the trust policy to match account partner claims to the claims that are supported by the web application
Finally, a new SAML token is made by the ADFS that has the resource partner claims, and the cookie is kept on the user’s computer. The user then gets redirected to the web app, where the app can see the cookie and allows the access allotted to the user.
What is OAuth 2.0?
OAuth 2.0 provides an authorization system that is to allow third party apps to get in touch with HTTP services.
It provides delegation of access, so that service providers can do actions for you.
What four parties does the OAuth flow communicate with?
The four parties that the OAuth communicates with are:
-Clients (apps that users need)
-Resource Owners (The users)
-Resource Servers (Servers that the service has that the resource owner wants the app to utilize)
-Authorization Servers (Servers that are owned by the ID provider)
How does Authentication work with OAuth 2.0?
With OAuth 2.0:
-The client tries to access the third party service
-The third party site (the consumer) is guided to the service provider to prove that they are who they allege to be
-The consumer sends a request to get a request token
-The service provider approves (hopefully) the users ID, then gives a request token and leads the consumer back to the service provider
-The service provider then gets the user authorization and sends the user to the site that is owned by the third party.
-The consumer requests the access token, the provider grants it, and then the consumer can use what it needs to use on the site
What is often combined with OAuth to provide authentication?
-OpenID Connect is often paired with OAuth to provide authentication.
-The authorization server is able to issue an ID taken and the authorization token provided by OAuth.
-In this way the service can know what action was allowed and that the user authenticated with the ID provider
What is Privileged Access Management (PAM)?
PAM is a set of tech and actions that are employed to take care of and secure privileged accounts, access, and permissions for systems, users, and apps in a company.
What is the main idea with Privileged Access Management (PAM)?
The main idea is least privilege: only the abilities to get the task done should be granted.
With Privileged Access Management (PAM), what non traditional account types are taken into consideration?
In addition to the normal superuser accounts such as root, admin, etc. PAM also manages service accounts, application accounts, domain admin accounts, and others.
Users who have special capabilities on the system also fall under this pervue
What common issues does Privileged Access Management (PAM) systems help to solve?
PAM helps take care of over-provisioning or privileges, life cycle management and privilege creep (people retaining access to systems that they shouldn’t have access to once they move into a new role)
What is a Cloud Access Security Broker (CASB)?
A CASB is a tool that carries out policy enforcement points that can be local or cloud based, and they help with security policy enforcement when cloud resources and services are used.
What important security topics does a Cloud Access Security Broker (CASB) help with?
A CASB helps with data security, antimalware functions, usage of service and access visibility. It does require a close eye and proper setting of parameters to be continually useful.