Liberty ID-FF Bindings and Profiles Specification - Liberty Alliance

More documents

Recommendations

Info

Liberty Alliance Project:Liberty ID-FF Bindings and Profiles SpecificationVersion: 1.2-errata-v2.0224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282Description: After getting an artifact or in step 6 (see Section 3.2.1), a legitimate PrincipalA could pass this artifact or on to another Principal, B. Principal B is now able to use theartifact or , while the actual authentication happened via Principal A.Countermeasure: Implementations where this threat is a concern MUST use the in the authentication statement. The IP address that Principal B uses would be different from the IP address within the. This countermeasure may not suffice when the user agent is behind a firewallor proxy server. IP spoofing may also circumvent this countermeasure.Threat: Stolen artifact and subsequent Principal impersonationDescription: See Section 4.1.1.9.1 in [SAMLBind11]Countermeasure: Identity providers MUST enforce a policy of one-time retrieval of the assertion corresponding toan artifact so that a stolen artifact can be used only once. Implementations where this threat is a concern MUST use the in the authentication statement. The IP address of a spurious user agent that attemptsto use the stolen artifact would be different from IP address within the .The service provider may then be able to detect that the IP addresses differ. This countermeasure may not suffice whenthe user agent is behind a firewall or proxy server. IP address spoofing may also circumvent this countermeasure.Threat: Stolen assertion and subsequent Principal impersonationDescription: See Section 4.1.1.9.1 in [SAMLBind11]Countermeasure: Refer to the previous threat for requirements.Threat: Rogue service provider uses artifact or assertion to impersonate Principal at a different service providerDescription: Because the contains the , this threat is not possible.Countermeasure: NoneThreat: Rogue identity provider impersonates Principal at a service providerDescription: Because the Principal trusts the identity provider, it is assumed that the identity provider does not misusethe Principal’s trust.Countermeasure: NoneThreat: Identity provider modifies Principal during a session with a service providerDescription: A service provider whose session has exceeded the time must contactthe Identity provider to get a new assertion. The new assertion might be for a different identity.Countermeasure: Service providers should continue to follow assertion processing rules to ensure that the subject ofany assertions received is actually the user for which the assertion is needed.Threat: Rogue user attempts to impersonate currently logged-in legitimate Principal and thereby gain access toprotected resources.Description: Once a Principal is successfully logged into an identity provider, subsequent messages from different service providers concerning that Principal will not necessarily cause the Principal to bereauthenticated. Principals must, however, be authenticated unless the identity provider can determine that an is associated not only with the Principal’s identity, but also with a validly authenticated identityprovider session for that Principal.Countermeasure: In implementations where this threat is a concern, identity providers MUST maintain stateinformation concerning active sessions, and MUST validate the correspondence between an andLiberty Alliance Project66
Liberty Alliance Project:Liberty ID-FF Bindings and Profiles SpecificationVersion: 1.2-errata-v2.0228322842285228622872288228922902291229222932294229522962297229822992300230123022303an active session before issuing an without first authenticating the Principal. Cookies posted byidentity providers MAY be used to support this validation process, though Liberty does not mandate a cookie-basedapproach.4.4.2.2. Liberty-Enabled Client and Proxy ProfileThreat: Intercepted and and subsequent Principal impersonation.Description: A spurious system entity can interject itself as a man-in-the-middle (MITM) between the user agent(LECP) and a legitimate service provider, where it acts in the service provider role in interactions with theLECP, and in the user agent role in interactions with the legitimate service provider. In this way, as a first step,the MITM is able to intercept the service provider’s (step 3 of Section 3.2.4)and substitute any URL of its choosing for the value before forwardingthe on to the LECP. Typically, the MITM will insert a URL value thatpoints back to itself. Then, if the LECP subsequently receives a from theidentity provider (step 6 in Section 3.2.4) and subsequently sends the contained to the received from the MITM, the MITM will be able to masquerade as thePrincipal at the legitimate service provider.Countermeasure: The identity provider specifies to the LECP the address to which the LECPmust send the . The in the element is for this purpose. This URL value is among the metadata thatidentity and service providers must exchange in the process of establishing their operational relationship (seeSection 3.1 and Section 3.1.3).23042305230623072308230923102311231223132314231523162317231823192320232123224.4.2.3. FederationThreat: Collusion among service providers can violate privacy of the PrincipalDescription: When a group of service providers collude to share the of aPrincipal, they can track and in general compromise the privacy of the principal. More generally, this threat exists forany common data (e.g. phone number) shared by rogue system entities.Countermeasure: The is required to be unique for each identity provider toservice provider relationship. However, this requirement does not eliminate the threat when there are rogue participantsunder the Principal’s identity federation. The only protection is for Principals to be cautious when they choose serviceproviders and understand their privacy policies.Threat: Poorly generated name identifiers may compromise privacyDescription: The federation protocol mandates that the elements be unique within aPrincipal’s federated identities. The name identifiers exchanged are pseudonyms and, to maintain the privacy ofthe Principal, should be resistant to guessing or derivation attacks.Countermeasure: Name identifiers should be constructed using pseudo-random values that have no discernablecorrespondence with the Principal’s identifier (or name) used by the entity that generates the name identifier.4.4.3. Name RegistrationNo known threats.4.4.4. Federation Termination: HTTP-Redirect-Based ProfileThreat: Attacker can monitor and disrupt terminationLiberty Alliance Project67
Page 1 and 2:
Liberty Alliance Project:Version: 1
Page 3 and 4:
Liberty Alliance Project:Liberty ID
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16: Liberty Alliance Project:Liberty ID
Page 33: Liberty Alliance Project:Liberty ID
Page 70: Liberty Alliance Project:Liberty ID
show all

Liberty ID-FF Bindings and Profiles Specification - Liberty Alliance

Create successful ePaper yourself

Delete template?

Save as template?