Auth Flashcards
When was the original publication of OAuth 2.0?
2012
RFC# for Oauth 2.0 original publication
6749
RFC 8252
Oauth 2.0 for Native Apps
RFC 7636
Proof Key for Code Exchange
RFC 6750
Bearer Tokens
RFC 6819
Threat Model and Security Considerations
RFC 7662
Token Introspection
RFC 7009
Token Revocation
RFC 7519
JSON Web Token
RFC 8414
Authorization Server Metadata
RFC 7591
Dynamic Client Registration
SCIM
System for Cross-domain Identity Management
RFC 7644
Defines SCIM
layman definition of shibboleth
any custom or tradition, usually a choice of phrasing or even a single word, that distinguishes one group of people from another.
LDAP
Lightweight Directory Access Protocol
Lightweight Directory Access Protocol
an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network
RFC 4511
LDAP
IdM
Identity Management
IAM
Identity and Access Management
When was SCIM 1.0 released?
2011
When was SCIM 2.0 released?
2015
SCIM use case example
as a company onboards new employees and separates from existing employees, they are added and removed from the company’s electronic employee directory. SCIM could be used to automatically add/delete (or, provision/de-provision) accounts for those users in external systems such as G Suite, Office 365, or Salesforce.com. Then, a new user account would exist in the external systems for each new employee, and the user accounts for former employees might no longer exist in those systems.
In addition to simple user-record management (creating & deleting), SCIM can also be used to
In addition to simple user-record management (creating & deleting), SCIM can also be used to
SCIM’s other RFC
7643
What is Shibboleth Single Sign-On and Federating Software
a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.
SAML
Security Assertion Markup Language
Security Assertion Markup Language
an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
Security Assertion Markup Language ( other definition)
an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP).
when was the SAML 1.0 spec created?
Nov 2002
The three main players in SAML
Service Provider, Client, and Identity Provider
What is a SAML Service Provider called in Oauth2?
Resource Server
What is a SAML Identity Provider called in Oauth2?
Authorization Server
What is the high level structure of a SAML Assertion?
just an XML node with certain elements
The most common SAML flow
principal
the user trying to authenticate. You can think of this as the actual human behind the screen
Service provider
the services that are requesting authentication and identity information about the principal
What does SAML use to sign requests?
XMLDSIG
What are the two types of flows SAML supports?
those initiated by the service provider and those initiated by the identity provider
XMLDSIG
XML Digital Signatures
SP-initiated flow
Service Provider initiated SAML flow
Bindings
the format in which data is transferred between service providers and identity providers in SAML
most popular SAML bindings
HTTP Redirect Binding and HTTP POST Binding
in SAML, HTTP Redirect Bindings transfer data using what?
HTTP redirects and query parameters
In SAML, HTTP POST bindings transfer data using what?
HTTP POST forms
In SAML, HTTP Redirect Bindings are typically used in what?
authentication requests
In SAML, HTTP Post Bindings are typically used in what?
authentication responses
Assertions
statements made by the identity provider about the principal.
What are some examples of SAML assertions?
the principal’s email address and/or groups/roles the principal may be associated with
Assertions are used by _____ to _____
the service provider; to create and configure sessions for a principal.
SPML
Service Provisioning Markup Language
Step A of typical SAML 2.0 flow
Typical step B of SAML 2.0 flow
How do you make a Grant sort of equivalent to an Authorization Code Flow?
use Authorization Code Grant option and scope=”openid profile”
AuthN
short for Authentication
AuthZ
short for Authorization
OAuth is short for
OpenAuthentication
A SAML service provider manages an _____________endpoint[OS 2] that receives authentication assertions from identity providers
Assertion Consumer Service
The entity descriptor for a SAML Service Provider contains an ________ element
< md:SPSSODescriptor > md: SPSSODescriptor>
the entity descriptor of a SAML Service Provider Metadata document contains at least one _______ endpoint
< md:AssertionConsumerService >
the root element of a SAML Service Provider metadata document
< md:EntityDescriptor >
in an RBAC system, an authenticated user usually has what principals?
userId and roleId
from the perspective of authorization, what is the difference between principles and subjects?
principals are the actual entities for which access is allowed or disallowed. Subject is just a user/thread/process that holds some principals.
ADFS
Active Directory Federation Services (ADFS) is a Single Sign-On (SSO) solution created by Microsoft
TIER
trust-identity-education-research
WSGI
Web Server Gateway Interface
Web Server Gateway Interface
It is a specification that describes how a web server communicates with web applications, and how web applications can be chained together to process one request. WSGI is a Python standard described in detail in PEP 3333.
What is the difference between a certificate and a key with respect to SSL?
A certificate contains a public key.
The certificate, in addition to containing the public key, contains additional information such as issuer, what the certificate is supposed to be used for, and other types of metadata.
Typically, a certificate is itself signed by a certificate authority (CA) using CA’s private key. This verifies the authenticity of the certificate.
CA
Certificate Authoriy
How many root certificates do browsers come preinstalled with?
100-300, as of 2020
certificate authority
an entity that issues digital certificates
What does a digital certificate do?
certifies the ownership of a public key by the named subject of the certificate
What are the two most common ways CAs authenticate the recipient of a certifcate (e.g. the owner of a domain)?
domain validation and extended validation
CSR
Certificate Signing Request
Certificate Signing Request
a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate
How to generate a private key with openssl
openssl genrsa -des3 -out private_key.pem 2048
What does the -des3 flag in “openssl genrsa -des3 -out private_key.pem 2048” do?
It brings up a prompt for you to encrypt the private key with a password. -des3 means that it will encrypt the private key with the DES3 cipher
how to create a certificate signing request using openssl
openssl.exe req -new -key yourcertname.key -out yourcertname.csr
create openssl cert given key and csr
openssl req -x509 -sha256 -days 365 -key frontend.key -in frontend.csr -out frontend.crt
