Please enable JavaScript.
Coggle requires JavaScript to display documents.
2 - Implementing Authentication Systems - Coggle Diagram
2 - Implementing Authentication Systems
Implementing SSO on the Internet
Security Assertion Markup Language (SAML)
SAML 2.0 has 3 entities
Principal or User Agent
Service Provider (SP) or Relying Party
Identity Provider (IdP) or Asserting Party
Can send three types of XML messages during assertions
Authentication Statement
Proof that the user agent provided the proper credentials, identifies the identification method, and identifies the time the user agent logged on
Attribute statement
Any information about the user agent including theirentitlements
Authorization statement
Indicate whether the user agent is authorized to access the requested service
Used to exchange authentication and authorization (AA) information between federated organizations
OAuth 2.0
RFC 6749
Ask if you want to authorize an app to access data from another account
Authorization framework and not authentication framework
Use of access token
OpenID Connect (OIDC)
Authentication layer using 0Auth 2.0 authorization framework
Use of ID token (JWT)
Implementing SSO on Internal Networks
AAA protocols
Kerberos
Elements
Key Distribution Center (KDC)
Trusted third party providing authentication services
Kerberos Authentication Server
Host the functions of the KDC
a ticket-granting service (TGS)
Authentication service (AS)
Verifies or rejects the authenticity and timeliness of tickets
Often called KDC
Ticket-granting Service (TGS) == Service Ticket (ST)
Encrypted message that provides proof that a subject is authorized to access an object
Ticket-granting Ticket (TGT)
Proof that a subject has authenticated through a KDC and is authorized to request service tickets to access other objects
encrypted and includes a symmetric key, an expiration time, and the user's IP address
Kerberos Principal
A user but can be any entity requesting a service ticket
Kerberos realm
Logical area ruled by Kerberos
Based on AES
Specificities
TGT
Granted to a user authenticating against KDC
Ticket encrypted with a hash of the user's password
ST
Client sends TGT with request to access a specific resource. KDC send a ST to the client. The client sends the ST to the service wished.
RADIUS
Authentication for remote access connections
TCP/2083 when using TLS
UDP/1812 for authentication and authorization messages
UDP/1813 for RADIUS accounting messages
Encrypts just the password
TACACS+
Separates authentication, authorization and accounting into separate processes (possibility to have 3 different servers)
Encrypts all of the authentication information, not just the password
TCP/49