未加星标

The absolute basics of identity

字体大小 | |
[系统(windows) 所属分类 系统(windows) | 发布者 店小二03 | 时间 2018 | 作者 红领巾 ] 0人收藏点击收藏

I decided to write this up so I don’t have to repeat the same thing over and over again.:-)

Identity is very important. We depend on IT systems for everything. When you sit in a plane, when you go under the knife, when you turn on a light bulb―all these scenarios involve you putting your life on the line on IT systems.

So naturally, identity i.e. keep those systems secure and protected, and ensuring the right actors perform the right duties is quite important.

Now “security” and “identity” are different and joined at the hip. Here I will focus on identity, i.e. the process of identifying yourself to a computer system.

Authorization is another topic that one day I’d love to talk about.

History

When the internet was new, at some point, someone thought, hey we’d better secure this content. So they put a username password in a form tag. But, their buddies saw them entering a password.. and the input type password was born.. y’know you didn’t come here to read such old stuff. Lets start at old fashioned authentication

Old fashioned authentication

Here, I mean NTLM, Basic Auth, Kerberos etc. These mechanisms are quite valid even today, mostly because of their pervasive use―they are not going to go away anytime soon. But they are unsuitable for the internet. Sure anything can be twisted to make work with anything, you can hammer a nail in with your head if you tried hard enough, go ahead, I’ll watch.

My point is, today when we have billions of IoT devices, millions of smart phones, tablets, phones, macs, organizations trying to work with each other, teams forming and dissolving, consultants, external partners―your old fashioned active directory, while great at what it does, is not so great at these scenarios on it’s own.

It needs help! And that help is newer authentication protocols. Enter ADFS.

ADFS or Active Directory Federation Services

ADFS has grown over the years. But it’s role has been the same, to add newer authentication protocols backed by AD, and add related features on top. Undoubtedly the product will continue to grow. For instance adding new protocols, or being the backbone of many exciting features, such as windows hello, conditional access etc. But at a high level if your application needs say SAML or OAuth, and your users are in AD―ADFS is your friend.

The one thing you need to know about identity is that boundaries are fuzzy in some places, and very firm in others. For instance, OAuth2 over https is a pretty firm non-negotiable boundary. But many other things are fuzzy, such as conditional access is available in both AzureAD and ADFS. SAML can be used for both browsers based apps and native clients. People use OAuth2 for authentication….etc.

Azure AD

The one thing you need to know about Azure AD, is that it is not a replacement for on-premises AD. Your on-premises AD is where you have stored your credentials for many years, and Azure AD can work with that. In fact, Azure AD can work with multiple different credentials,

Passwords hosted in Azure AD―this is the default when you create an Azure AD. This is by default something@tenant.onmicrosoft.com although you can put a custom domain there, and still have Azure AD store the password. Password synch―where you use something like Azure AD connect, and synch hash of a hash of a password Azure AD connect passthrough authentication―doesn’t require the setup of ADFS, but allows you to store passwords in your AD (i.e. never synch them to the cloud), but gives you the advantage of using AD as your singular source for credentials―removing all synch hassles (i.e. identities still need to be synched, but credentials are not synched, so they are never out of date, and you get instant revocation). Azure AD federated authentication―where identities are synched, but authentication is federated to a standards based identity provider, such as ADFS.

A lesser known fact is that Azure AD can federate to any standards complaint identity provider, Azure AD connect just makes it a lot easier with AD.

Now Azure AD has a lot of functions beyond just “managing user identities”. It also works with numerous other security and identity related technologies. Lets leave those for another day.

The new fangled authentication

New fangled authentication, started to emerge when the world agreed to “claims based authentication”. Where you are identified by certain characteristics or claims about yourself, that I, the relying party can trust without having to talk to who issued you those claims.

Example, I am a policeman in Sweden. you are a driver in Sweden with a US passport, and you just got pulled over for speeding. Here, I am the relying party. You are the user. And US govt. is the identity provider that has issued you a claim (your passport), using which I, the relying party, can verify your identity.

The key here is, I don’t need to call the US president, to verify who you are! I trust and have means of making sure, that the passport you present to me, is real.

And therefore we have internet scale. As long as I can verify who you are and trust the claim you present to me, I can work with your identity.

And this new fangled authentication comes in numerous forms.

WS-Federation SAML OAuth and OpenID Connect

And there are some OAuth2 specific concepts to know about,

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

分页:12
转载请注明
本文标题:The absolute basics of identity
本站链接:https://www.codesec.net/view/620739.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(11)