Security Assertion Markup Language: SAML Profiles Explained

SAML is an XML based framework that allows for the generation and transmission of security information between parties that know of one another.   SAML is needed and used for allowing Web Based SSO outside of the intranet spaces.

Profiles are responsible for explaining how the SAML assertions, protocols and bindings are combined to support a specific implementation.  They define constraints and/or extensions for using SAML with a particular application.

SAML Profiles include:

Enhanced Client and Proxy (ECP) Profile: Specifies how <AuthnRequest> protocol messages are to be used with the Reverse-SOAP binding (PAOS). Used for mobile devices communicating through a WAP gateway

Identity Provider Discovery Profile: Service Providers use this profile to enumerate the Identity Providers a principal is using with the Web Server.

Web Browser SSO Profile: Specifies how <AuthnRequest> protocol messages are to be used with HTTP Redirect, HTTP POST and HTTP Artifact bindings.  Used for SSO from a Web Browser.

Name Identifier Management Profile: Specifies how the HTTP Redirect, HTTP POST, HTTP Artifact and SOAP bindings are used by the Name Identifier Management protocol.

Single Logout Profile: Specifies how HTTP Redirect, HTTP POST, HTTP Artifact and SOAP bindings are used within the SAML Single Logout protocol.

Name Identifier Mapping Profile: Specifies how a synchronous binding such as the SOAP binding can be used to support the Name Identifier Mapping protocol.

Artifact Resolution Profile: Specifies how a synchronous binding such as the SOAP binding can be used to support the Artifact Resolution protocol.

Assertion Query/Request Profile: Specifies how a synchronous binding such as the SOAP binding can be used to support the SAML query protocols.

OWA Security Risks – Are You Overlooking Something?

The perimeter for security is expanding as more and more of the workforce is becoming mobile and requiring remote access to company resources. Not only are these workers asking for access remotely but also on a 24×7 consistent basis. One of the main resources that must be available is email which for many organizations Outlook Web App (OWA) is the answer.

As with many aspects of the migration to having a mobile workforce there is huge concern for how this will change the IT structure of the organization, especially when it comes to data security. Most attacks start with email accounts making OWA a huge target.

Although most companies are protecting their OWA deployments with forms-based authentication as a minimum, there are still vulnerabilities which should be of concern.

In the upcoming weeks we will be highlighting some of these security threats you should be aware of when having your “OWA open to the world”:

  • User security awareness: leaving the browser and session open on a public machine
  • Brute-force attacks: such as Outlook Web App Brute Force made specifically for OWA attacks
  • Man-in-the-Middle attacks
  • Keystroke Loggers
  • Weak passwords
  • BYOD: users using personal devices to access OWA
  • Spoofed HTTPS connections
  • Enumerating usernames (MetaGoofil, FOCA, theHarvester)
  • Providing remote access to users
  • Checking email in a public location
  • OWABF
  • WMAT

And many more…

Remember there are always risks when it comes to mixing email with web server technology and OWA is a widely adopted form of the integration. Check back with more to come in the following posts.

###

Visit PortalGuard.com for information about how the authentication platform can secure your OWA implementation.

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

Security Assertion Markup Language: SAML Bindings Explained

SAML is an XML based framework that allows for the generation and transmission of security information between parties that know of one another.   SAML is needed and used for allowing Web Based SSO outside of the intranet space.

There are a number of unique SAML Bindings and their responsibility is to map SAML request-response messages into other messages from different communication protocols.  This feature of SAML allows SAML to integrate with a wide variety of applications and technologies.

Another way of thinking about SAML bindings is to consider that they embed and transport SAML messages through various transport protocols.

Here is a list of SAML bindings, but not a complete set:

SAML SOAP Binding – Specifies how to get SAML message into SOAP messages (Simple Object Access Protocol).

Reverse SOAP (PAOS) binding – Allows an HTTP requester to act as a SOAP responder or process SOAP messages containing SAML messages.

HTTP Redirect Binding – Allows for SAML protocol messages to be embedded within URL parameters.

HTTP POST Binding – SAML protocol message are transmitted within the base64-encoded content within an HTML form.

HTTP Artifact Binding – SAML requests, responses or both are sent by reference known as an artifact.  This binding may end up combined with the HTTP Redirect and HTTP POST bindings.

SAML URI Binding – A Uniform Resource Identifier refers to a resource independent of the protocol being used.   This binding is the combination of an AssertionIDRequest message with an AsssertionIDRef message into a single URI.  Similar to SOAP, URI can be transported by multiple protocols.

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

Email Provider: Not as Secure as You'd Think

an interesting situation with an email provider and the issues they are facing with the hijacking of customer mailboxes:

“I am sorry to hear that you were experiencing issues with email latency. We are working on making changes to resolve the issues with latency. In the meantime you may see peaks of latency. We are monitoring the servers and will clear blocked queues as they arise. These traffic jams are caused by hackers hijacking our customers mailboxes that have weak passwords. We have setup automatic suspensions to stop these mailboxes faster. We are recommending to all of our customers to make passwords as secure as possible to help prevent this issue.”

With the negative effects on their customers you have to wonder if they are supporting encrypted communications to their POP3 and SMTP servers. It seems with this provider they were still using clear-text ports 110 and 25 respectively. What they think is protecting their servers are strong passwords…but what good is a “strong password” if it’s being sent to their mail servers in the clear? When checking their password complexity rules:

“Passwords  must be 8-14 characters, with at least one letter, plus one number or special character [!@#$%^&*]”

It is amazing to think that a password such as “Password1” would be enough to be considered strong. With email being a very weak link in many organizations it is alarming to see that this is considered secure. Many providers are operating with a false sense of security which is not disclosed to their customers. What is your email provider using?

The Data Breach Blog – An Excellent Resource

We have been including blog posts related to security breaches throughout the year and I wanted to share with you a great resource from SCMagazine called The Data Breach Blog. This is a blog dedicated to reporting on various data breaches which have occurred and providing information such as how many victims, what happened, what type of personal data, what was the response, and details about issues which allowed the data breach to happen.

One example is this recent data breach of a database containing personal information from 235,000 students, former students, parents, faculty, staff and individuals who sent their SAT scores to Western Connecticut State University. This included names, social security numbers, emails, addresses, phone numbers and even grades.  Check out the rest of the blog post to see how they handled the attack….

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

Security Assertion Markup Language: SAML Protocols Explained

SAML is an XML based framework that allows for the generation and transmission of security information between parties that know of one another.   SAML is needed and used for allowing Web Based SSO outside of the intranet space.

SAML defines several request-response protocols.  Each one is identified by the action it is employed for.

This article discusses four SAML protocols:

  • Authentication Request Protocol: Gives the Service Provider the ability to request a SAML response on behalf of a user or principal.
  • Artifact Resolution Protocol: Allows the Service Provider and Identity provider to communicate directly with each other without a principal involved.
  • Single Logout
  • Name Identifier Management

 

AUTHENTICATION REQUEST PROTOCOL

With SAML 1.1 the IdP sent an unsolicited response to a Service Provider (SP) and the SP had no control over initiating the authentication process.  With the advent of SAML 2.0 the Service Provider can now initiate the request for authentication via the Authentication Request Protocol.

Authentication Request Protocol – used by a service provider to request the authentication of a user by the IdP.

When a Service Provider wants to acquire a SAML assertion on behalf of a user looking to gain access to a protected resource, the SP sends an Authentication Request or more precisely <samlp:AuthnRequest>

This is an example of a complete authentication request:

<samlp:AuthnRequest
xmlns:samlp=”urn:oasis:names:tc:SAML:2.0:protocol”
xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”
ID=”ccjskdie-9304-1192-3029-dkejuf72a398″
Version=”2.0″
IssueInstant=”2012-12-05T09:24:43″
AssertionConsumerServiceIndex=”0″
AttributeConsumingServiceIndex=”0″>
<saml:Issuer>https://rp.monopoly.com/SAML2</saml:Issuer>
<samlp:NameIDPolicy
AllowCreate=”true”
Format=”urn:oasis:names:tc:SAML:2.0:nameid-format:transient”/>
</samlp:AuthnRequest>

The above <samlp:AuthnRequest> element, asks for an assertion from the IdP containing an authentication statement.  You can see by the <saml:Issuer> element that this was issued by service provider (https://rp.monopoly.com/SAML2).  This request gets delivered to the IdP via the browser.  The identity provider authenticates the user that originated the request and issues an authentication response, which is sent back to the service provider (again via the browser).

 

ARTIFACT RESOLUTION PROTOCOL

A SAML message can be delivered between an IdP and SP either by value or by reference. With the authentication request protocol, the SAML message is considered a value.  For the artifact resolution protocol, the message is called an artifact. An artifact reference is resolved by sending a <samlp:ArtifactResolve> request directly to the entity that issued the artifact.  This is when the actual SAML response referenced by the artifact is sent to the receiver.

Here is an example that an IdP may send directly to an SP.  The element in question here is <samlp:ArtifactResolve> and is sent directly to the SP and not through the client’s Web Browser.

<samlp:ArtifactResolve
xmlns:samlp=”urn:oasis:names:tc:SAML:2.0:protocol”
xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”
ID=”sie983ekcmjsdi_ejsk1wilsdoe9rim4rt”
Version=”2.0″
IssueInstant=”2012-12-07T03:21:23″
Destination=”https://sp.monopoly.com/SAML2/ArtifactResolution”>
<saml:Issuer>https://idp.trouble.org/SAML2</saml:Issuer>
<ds:Signature

xmlns:ds=”http://www.miltonbradley.org/2000/09/signature”>…</ds:Signature>

<samlp:Artifact>BNBMGGFh65/1lPOI+s8YrtK8fOlskeiJDHeiNmDj6RdUmllwnlsKeeRif9Ie=</samlp:Artifact>
</samlp:ArtifactResolve>

The service provider will respond with the SAML element referenced by the enclosed artifact

 

SINGLE LOGOUT

Local sessions are established at an IdP during the SAML login process and a session for each SP the user gains access to be established.  With the IdP knowing about all of the sessions that the user has established, when the user logs out of one session, the IdP can use the Single Logout protocol to log the user out of the other sessions automatically.  This process is achieved using the <LogoutRequest>  and <LogoutResponse> messages.

 

NAME IDENTIFIER MANAGEMENT

Once the IdP has established the  “name identifier” for a principal or user, if need be, it can use the Name Identifier Management protocol to change the value of the identifier or even specify that the identifier will no longer be used.  The IdP will use the <ManageNameIDRequest> message to perform this action.  An SP can also use this message to change the SPProviderID or stop using a name identifier with the IdP.

Go Daddy Increases Security with 2FA

go-daddy-logoFollowing some very serious security breaches, Go Daddy.com is implementing two-factor authentication in the UK and globally to increase security. One of the attacks actually got into the DNS of many GoDaddy.com websites and began redirecting users to sites which served up ransomware, locking them out of their computers and asking for money to unlock them. This happened to roughly 200 customers and made GoDaddy take steps to implement stronger authentication. The two-factor authentication is already available in the US and Canada but it is now being stretched around the world to anyone who needs it. The goal they have is to put in place a more automated, intelligence-driven security to protect users and block unauthorized access. Read More…

 

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

Security Attack: Leaving the Burden on the User

[Based on a real life case study of an attack occurring November 23rd, 2012]

This is a perfect case where the user is not only the cause of the breach but also the one responsible for noticing that a breach has happened. The corporation hosting the application is unaware as all of the unauthorized activity is happening on the user’s machine and to the user’s machine. Typically organizations would say that they do not have control over the user’s machine and that is accurate, but what they do have control over is the ability to increase security around the application login.

In this scenario, Sophia received an email notifying her that her password had been reset. This alarmed her as she personally had not gone through any reset process that she could remember. After asking her husband if he had requested the reset and he had not, she notified the corporation. With this type of scenario Sophia now sees the corporation as not secure, hurting the reputation of that corporation, until other evidence is given that the corporation is secure and it is really Sophia’s computer which is the issue.

In order to perform the reset the application requires that Sophia, and in this case the hacker, provide the username, social security number, and answers to three challenge questions. Upon investigation the corporation discovered that the hacker was from New York and had provided all of the correct information. Because the reset was successful the corporation was not alerted to any malicious behavior. Actually, had Sophia not received the notification email and noticed an inconsistency, the hacker would have had complete access and control over the account. As you can imagine when dealing with sensitive information this is of huge concern, such as an email or bank account.

Sophia was also concerned that possibly she was not the only customer affected. The corporation looked into their logging and any other records and determined that Sophia’s computer was the source, possibly containing a Trojan or Keystroke Logging malware program. For Sophia, now the feeling of not being secured has shifted from the corporation to her actual computer. Sophia now has to go through installing anti-virus software which she did not have in place at the time of the attack, running malware scans, etc.

Although Sophia’s computer was the source of the malware…could the corporation prevent the attack? Could they help Sophia feel secure when logging into their application and prevent any data from being accessed by an unauthorized user? The password reset functionality was implemented to give Sophia usability functionality when having to login, but is it also the corporation’s responsibility to make sure that that process is secure? The answer: Yes.

If the corporation had implemented not only challenge questions and answers to reset the password but also enforced two-factor authentication by sending a one-time password to Sophia’s enrolled mobile phone, the hacker would have been stopped. Without having Sophia’s mobile phone with him in New York there is no way to receive the OTP and therefore change the password. This removes the responsibility off of Sophia and secures the process for her.

PortalGuard allows corporation’s to implement self-service password reset, recovery and account unlock seamlessly into their applications. This is done using PortalGuard’ Self-service Password Reset in Sidecar Mode which implements forgot password links and any necessary infrastructure without changing the appearance of the existing login screen. Sophia would now be able to click forgot password, answer a configurable number of challenge questions followed by a one-time password (OTP) sent to her mobile phone via SMS, a phone call, or email. The hacker would be stopped in their tracks as the OTP would not be received and they would not be able to move forward in the password reset process.

BYOD is on the Rise: Going to Double in 2014

This has been a hot topic in 2012 and looks to be on the rise in the upcoming years. After a recent study done by Juniper research showed that devices used in the corporate environment will increase from the current 150 million to 350 million, which is of great concern as securing these endpoints is not enforced in many organizations. The majority of the increase will happen in Eastern Europe with North America coming second.

It is not only the device which is lacking security but also in the way that access is provided to company data. Only 5% of the tablets and smartphones currently have security software in place to protect from malware and malicious attacks. Also the operating systems which are used on these devices are open and therefore vulnerable. The best protection is to implement security software and help users learn best practices when using these devices. Of course, this does not protect from the biggest threat, physical theft of the device.

By allowing personal devices to be used there is a blurring of the boundaries between corporate and personal. The article advocates that instead of seeing these devices as another endpoint you need to fully integrate them into your corporate security plans and structure. Read More…

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169