DOCSLIB.ORG

Securing Digital Identities in the Cloud by Selecting an Apposite Federated Identity Management from SAML, Oauth and Openid Connect

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Securing Digital Identities in the Cloud by Selecting an Apposite Federated Identity Management from SAML, OAuth and OpenID Connect Nitin Naik and Paul Jenkins Defence School of Communications and Information Systems Ministry of Defence, United Kingdom Email: [email protected] and [email protected] Abstract—Access to computer systems and the information this sensitive data over insecure channels poses a significant held on them, be it commercially or personally sensitive, is security and privacy risk. This risk can be mitigated by using naturally, strictly controlled by both legal and technical security the Federated Identity Management (FIdM) standard adopted measures. One such method is digital identity, which is used to authenticate and authorize users to provide access to IT in the cloud environment. Federated identity links and employs infrastructure to perform official, financial or sensitive operations users’ digital identities across several identity management within organisations. However, transmitting and sharing this systems [1], [2]. FIdM defines a unified set of policies and sensitive information with other organisations over insecure procedures allowing identity management information to be channels always poses a significant security and privacy risk. An transportable from one security domain to another [3], [4]. example of an effective solution to this problem is the Federated Identity Management (FIdM) standard adopted in the cloud Thus, a user accessing data/resources on one secure system environment. The FIdM standard is used to authenticate and could then access data/resources from another secure system authorize users across multiple organisations to obtain access without both systems needing individual identities for the to their networks and resources without transmitting sensitive single user. In this way, it avoids the transmission of sensitive information to other organisations. Using the same authentication information/credentials. For example, it is probable that users and authorization details among multiple organisations in one federated group, it protects the identities and credentials of users could possess several accounts with the service providers such in the group. This protection is a balance, mitigating security as Google, Amazon, eBay and AOL. These service providers risk whilst maintaining a positive experience for users. Three require the users’ identity to be confirmed by a trusted central of the most popular FIdM standards are Security Assertion policy framing authority in terms of scope and visibility [5], Markup Language (SAML), Open Authentication (OAuth), and [6], [7], [8]. This relieves the user of the burden of dealing with OpenID Connect (OIDC). This paper presents an assessment of these standards considering their architectural design, working, multiple credentials thereby improving usability and security security strength and security vulnerability, to cognise and ascer- [2], [7], [8]. The FIdM approach separates the authentication tain effective usages to protect digital identities and credentials. and authorization functions for the better management of both. Firstly, it explains the architectural design and working of these There are a number of FIdM standards available, some of standards. Secondly, it proposes several assessment criteria and the most popular and successful FIdM standards, are Security compares functionalities of these standards based on the proposed criteria. Finally, it presents a comprehensive analysis of their Assertion Markup Language (SAML), Open Authentication security vulnerabilities to aid in selecting an apposite FIdM. This (OAuth), and OpenID Connect (OIDC). SAML is an XML- analysis of security vulnerabilities is of great significance because oriented framework for transmitting user authentication, enti- their improper or erroneous deployment may be exploited for tlement and other attribute information [9]. OAuth is a scalable attacks. delegation protocol allowing a user to permit access to an Index Terms—Federated Identity Management; FIdM; SAML; OAuth; OpenID Connect; SSO; DoS; MITM; XSS application to accomplish authorized tasks on behalf of the user [10]. OpenID Connect is an emerging suite of lightweight specifications that provide a framework for communicating I. INTRODUCTION identity via RESTful APIs [11]. These three FIdM standards In cyberspace, digital identities are used to represent an virtually cover the entire FIdM cloud industry. individual, organization or electronic device, which controls This paper presents an assessment of these standards con- access to critical corporate information by the authentica- sidering their architectural design, working, security strength tion and authorization of their users providing access to and security vulnerability, to understand and ascertain effective organisational resources. Businesses are required to exchange usages to protect digital identities and credentials. Firstly, information both financial and personnel with government it explains the architectural design and working of these agencies and other businesses electronically. This collabora- standards. Secondly, it proposes several assessment criteria tive working and sharing of sensitive information is strictly and compares functionalities of these standards based on controlled and protected by legislation in the countries in the proposed criteria. FIdM standards offer the solution to which the organisation operates. However, the transmission of protect digital identities and personal information; however, their implementation requires thoughtful administration and carefully enforced security and privacy policies. The improper or erroneous deployment of the FIdM standard could have serious consequences and open several security vulnerabili- ties, which can be easily exploited for attacks. Therefore, it is essential to understand various message flows and their associated security vulnerabilities, which is comprehensively covered in the final section to aid in selecting an apposite FIdM. The rest of the paper is organised as follows: Section II presents the detailed architectural design and working analysis of the three FIdM standards SAML, OAuth and OIDC; Section III presents the comparative analysis of the three FIdM standards SAML, OAuth and OIDC based on the Fig. 1. SAML Assertion Structure [13] proposed evaluation criteria; Section IV elucidates potential vulnerabilities of FIdM standards due to their improper or • User is an entity that initiates a sequence of protocol erroneous deployment; Section V concludes the paper and messages and consumes the service provided by the SP. suggests some future work. At the end of this paper, a list A user may be an application program that is requesting of acronyms and their full forms are presented to simplify the access to a resource. discipline specific terminologies. The latest version of the SAML specifications is SAML 2.0, which describes the following components [13]: II. ARCHITECTURAL DESIGN AND WORKING OF PREDOMINANT FEDERATED IDENTITY MANAGEMENT • Assertions state how identities are represented. (FIDM) STANDARDS • Protocols represent a sequence of XML messages de- signed to achieve a single goal. This section explains the three predominant FIdM standards • Bindings describe how protocol messages are transported SAML, OAuth and OpenID Connect and their working in over a lower-level protocol such as HTTP. details. All these standards have a commonality, and they • Profiles combine a number of bindings to describe a use security tokens for their services. Security Tokens are a solution for a use case. key concept in FIdM as they are the device of choice for The SAML assertion is the main notion in SAML. It is authenticating and authorizing a users identity or “digital iden- a claim, statement, or declaration of a digital identity which tity”. They are also known as Identity Tokens, Authentication is made by the IDP and trusted by the SP. The identity Tokens and Authorization Tokens [12]. information required by the SP, is usually agreed in advance by the IDP and SP [14]. However, there is a provision after A. Security Assertion Markup Language (SAML) the initial transaction to request additional information. The Security Assertion Markup Language (SAML) was devel- structure of a SAML assertion is shown in Fig. 1. There oped by the Security Services Technical Committee of OASIS are three types of assertions: authentication, attribute, and (Organization for the Advancement of Structured Informa- authorization. Authentication assertion validates the user’s tion Standards) [9]. SAML is an XML-oriented framework identity. Attribute assertion contains specific information about for transmitting user authentication, entitlement, and other the user. Authorization assertion identifies what the user is attribute information [9]. This framework provides two fed- authorized to do [3]. eration partners to select and share identity attributes using a A typical SAML use case example is illustrated in Fig. 2 SAML assertion/message payload, on the condition that these and its corresponding steps are described below: attributes can be expressed in XML [11]. SAML assumes 1) User tries to access a hosted application on the SP’s three key roles in any transaction Identity Provider (IDP/IdP), cloud Service Provider (SP) and User: 2) SP generates a SAML request • Identity Provider (IDP/IdP) is a trusted organisation 3) Browser redirects the SAML request to the IDP’s cloud that authenticates and authorizes
Recommended publications
  • Dod Enterpriseidentity, Credential, and Access Management (ICAM)

    Dod Enterpriseidentity, Credential, and Access Management (ICAM)

    UNCLASSIFIED DoD Enterprise Identity, Credential, and Access Management (ICAM) Reference Design Version 1.0 June 2020 Prepared by Department of Defense, Office of the Chief Information Officer (DoD CIO) DISTRIBUTION STATEMENT C. Distribution authorized to U.S. Government agencies and their contractors (Administrative or Operational Use). Other requests for this document shall be referred to the DCIO-CS. UNCLASSIFIED UNCLASSIFIED Document Approvals Prepared By: N. Thomas Lam IE/Architecture and Engineering Department of Defense, Office of the Chief Information Officer (DoD CIO) Thomas J Clancy, COL US Army CS/Architecture and Capability Oversight, DoD ICAM Lead Department of Defense, Office of the Chief Information Officer (DoD CIO) Approved By: Peter T. Ranks Deputy Chief Information Officer for Information Enterprise (DCIO IE) Department of Defense, Office of the Chief Information Officer (DoD CIO) John (Jack) W. Wilmer III Deputy Chief Information Officer for Cyber Security (DCIO CS) Department of Defense, Office of the Chief Information Officer (DoD CIO) ii UNCLASSIFIED UNCLASSIFIED Version History Version Date Approved By Summary of Changes 1.0 TBD TBD Renames and replaces the IdAM Portfolio Description dated August 2015 and the IdAM Reference Architecture dated April 2014. (Existing IdAM SDs and TADs will remain valid until updated versions are established.) Updates name from Identity and Access Management (IdAM) to Identity, Credential, and Access Management (ICAM) to align with Federal government terminology Removes and cancels
  • Raw Slides (Pdf)

    Raw Slides (Pdf)

    2550 Intro to cybersecurity L5: Distributed Authentication abhi shelat/Ran Cohen Agenda • The problem of distributed authentication • The Needham-Schroeder protocol • Kerberos protocol • Oauth So far: authenticating to a server Mallory Alice Bob Gen pw pw Authenticating to an organization Mallory Alice Gen pw pw Authenticating to an organization Mallory Alice Gen pw pw Distributed authentication • Organizations have many entities (users/services) • Secure communication over insecure channels • Password-based authentication • Passwords are never transmitted (except for the setup phase) • Enable mutual authentication Basic tool: symmetric encryption Alice Bob 푚 푚 Eve Basic tool: symmetric encryption • Gen: generates secret key 푘 • Enc: given 푘 and 푚 output a ciphertext 푐 Denote 퐸푛푐푘 푚 , 퐸푘 푚 , 푚 푘 • Dec: given 푘 and 푐 output a message 푚 • Security (informal): Whatever Eve can learn on 푚 given 푐 can be learned without 푐 • Examples: – DES (Data Encryption Standard) – AES (Advanced Encryption Standard) 푚 Authentication from Encryption • Alice and Bob share a key • They communicate over an insecure channel • Alice wants to prove her identity to Bob • Eve’s goal: impersonate Alice Alice Bob 푘퐴퐵 푘퐴퐵 Eve Attempt #1 Alice Bob I am Alice 푘퐴퐵 푘퐴퐵 I am Alice Eve Attempt #2: use the key Alice Bob I am Alice 푘퐴퐵 푘퐴퐵 푘퐴퐵 I am Alice 푘퐴퐵 Replay attack Eve Attempt #3: use nonce Alice I am Alice Bob 푁푎 푘퐴퐵 Pay Eve 500$ 푁푎 − 1 푘퐴퐵 푘퐴퐵 푘퐴퐵 푘퐴퐵 Nonce: a random number for a one-time use Eve Attempt #3: use nonce Alice I am Alice Bob 푁푎 푘퐴퐵 Pay Eve 500$ 푁푎 −
  • The Essential Oauth Primer: Understanding Oauth for Securing Cloud Apis

    The Essential Oauth Primer: Understanding Oauth for Securing Cloud Apis

    THE ESSENTIAL OAUTH PRIMER: UNDERSTANDING OAUTH FOR SECURING CLOUD APIS WHITE PAPER TABLE OF CONTENTS 03 EXECUTIVE OVERVIEW 03 MOTIVATING USE CASE: TRIPIT 05 TERMINOLOGY 06 INTRODUCTION 07 THE OAUTH 2.0 MODEL 07 OAUTH 2.0 OVERVIEW USING A TOKEN TOKEN TYPE 09 RELATIONSHIP TO OTHER STANDARDS 11 USE CASES TRIPIT REVISITED TOKEN EXCHANGE MOBILE WORKFORCE 13 RECENT DEVELOPMENT 14 SUMMARY 2 WHITE PAPER ESSENTIAL OAUTH PRIMER EXECUTIVE OVERVIEW A key technical underpinning of the cloud and the Internet of Things are Application Programming Interfaces (APIs). APIs provide consistent methods for outside entities such as web services, clients and desktop applications to interface with services in the cloud. More and more, cloud data will move through APIs, but the security and scalability of APIs are currently threatened by a problem call the password anti-pattern. This is the need for API clients to collect and replay the password for a user at an API in order to access information on behalf of that user via that API. OAuth 2.0 defeats the password anti-pattern, creating a consistent, flexible identity and policy architecture for web applications, web services, devices and desktop clients attempting to communicate with cloud APIs. MOTIVATING USE CASE: TRIPIT Like many applications today, TripIt (http://tripit.com) is a cloud-based service. It’s a travel planning application that allows its users to track things like flights, car rentals, and hotel stays. Users email their travel itineraries to TripIt, which then builds a coordinated view of the users’ upcoming trips (as well as those of their TripIt friends—the inevitable social aspect).
  • Digital Identity Roadmap Guide

    Digital Identity Roadmap Guide

    Digital Identity Roadmap Guide International Telecommunication Union Place des Nations CH-1211 Geneva 20 Switzerland ISBN: 978-92-61-27821-2 9 7 8 9 2 6 1 2 7 8 2 1 2 Published in Switzerland Geneva, 2018 Digital Identity Roadmap Guide Some Rights Reserved This work is a publication of the International Telecommunication Union (ITU). The findings, interpre- tations and conclusions expressed in this work do not necessarily reflect the views of the International Telecommunication Union or its governing bodies. The International Telecommunication Union does not guarantee the accuracy of the data included in this work. The boundaries, colours, denominations, and other information shown on any map in this work do not imply any judgment on the part of the International Telecommunication Union concerning the legal status of any territory or the endorse- ment or acceptance of such boundaries. Nothing herein shall constitute or be considered to be a limitation upon or waiver of the privileges and immunities of the International Telecommunication Union, all of which are specifically reserved. Rights & Permission This work is available under the Creative Commons Attribution 3.0 IGO license (CC BY 3.0 IGO) http:/ / creativecommons .org/ licenses/by/ 3 .0/ igo. Under the Creative Commons Attribution license, you are free to copy, distribute, transmit, and adapt this work, including for commercial purposes, under the following conditions: Attribution — Please cite the work as follows: International Telecommunication Union, Digital Identity Roadmap Guide. Creative Commons Attribution 3.0 IGO (CC BY 3.0 IGO). Translations — If you create a translation of this work, please add the following disclaimer along with the attribution: This translation was not created by the International Telecommunication Union (ITU) and should not be considered an official translation.
  • What Is an Identity Provider? Why Does My Company Need to Become One?

    What Is an Identity Provider? Why Does My Company Need to Become One?

    WHITE PAPER WHAT IS AN IDENTITY PROVIDER? WHY DOES MY COMPANY NEED TO BECOME ONE? Tame Mobile and Cloud Security Risks: Become an IdP Executive Overview Enterprises face security threats from all directions. According to the Identity Theft Resource Center, there were 189 known breaches from January 1 of this year through the beginning of June. Those breaches exposed approximately 13.7 million records. Meanwhile, trends intended to benefit the enterprise, such as cloud computing and mobility, often introduce unintended risks. The weak link in our online economy is trust. If you boil that down further, much of the lack of trust stems from the inability to verify online identities. It is increasingly difficult to know whether people (or companies) on the Internet are who they say they are. To address today’s security risks and to embrace new technology trends such as cloud, mobility and SaaS, enterprises must rethink how they handled their employees’ identities. Fortunately, the industry has been moving towards federated Single Sign On (SSO) solutions, and has been standardizing building blocks like SAML and OpenID. Enterprises should build on these standards in order to become Identity Providers (IdP). By becoming an IdP, companies can better control, enforce and extend security standards to all on-premise and cloud-based applications in their organizations, as well as to mobile devices. This paper will discuss the reasons enterprises should become IdPs, what becoming an IdP involves, and why you should automate as much of this process as possible. Introduction: New Security Risks Undermine Online Business In August 2012, a hacker crafted a wickedly specific social engineering attack to target Wired writer Mat Honan.
  • Digital Identity in Banking What Ceos Need to Know About Best Practices and Future Directions

    Digital Identity in Banking What Ceos Need to Know About Best Practices and Future Directions

    Digital Identity In Banking What CEOs Need to Know About Best Practices and Future Directions RON SHEVLIN Director of Research Cornerstone Advisors TABLE OF CONTENTS 1 Digital Identity: A Challenge As Old As The Internet 3 Technology Developments In Digital Identity Management 7 Five Forces Shaping Digital Identity Management 15 Best Practices In Digital Identity Management For Today 17 Conclusion 19 About Cornerstone Advisors 19 Avoka (now Temenos) 20 Endnotes © 2018 Cornerstone Advisors. All rights reserved. Reproduction of this report by any means is strictly prohibited without written permission. DIGITAL IDENTITY: A CHALLENGE AS OLD AS THE INTERNET Although the topic of digital identity gets daily attention today in 2018, it’s hardly a new topic. In 1993, The New Yorker published what has become one of the most—if not the most—iconic cartoons about the Internet (Figure 1). In it, one dog says to another, “On the Internet, nobody knows you’re a dog.” Twenty-five years ago, many people saw the ability FIGURE 1: New Yorker Cartoon on Digital Identity to remain anonymous as a feature of the Internet, not a liability. Despite a quarter century of techno- logical advances that include e-commerce, social media, and the smartphone: “There is still no easy way to prove online that you are not a dog, are over 18, live at a certain address, graduated from a certain school, work at a specific company, or own a specific asset. These kinds of assertions about ourselves are difficult to trust because they are nearly impossible to verify.” 1 Source: The New Yorker WHY IS DIGITAL IDENTITY STILL A PROBLEM? If we’ve seen 25 years of technological advances, then why is digital identity still a problem? Three reasons: 1) There are no standardized formats for digital credentials; 2) There are no standardized methods to verify the source and integrity of digital credentials; and 3) The technological advances that have occurred over the past 25 years have exasperated the problem—not alleviated it.
  • City Research Online

    City Research Online

    Li, F. (2015). Context-Aware Attribute-Based Techniques for Data Security and Access Control in Mobile Cloud Environment. (Unpublished Doctoral thesis, City University London) City Research Online Original citation: Li, F. (2015). Context-Aware Attribute-Based Techniques for Data Security and Access Control in Mobile Cloud Environment. (Unpublished Doctoral thesis, City University London) Permanent City Research Online URL: http://openaccess.city.ac.uk/11891/ Copyright & reuse City University London has developed City Research Online so that its users may access the research outputs of City University London's staff. Copyright © and Moral Rights for this paper are retained by the individual author(s) and/ or other copyright holders. All material in City Research Online is checked for eligibility for copyright before being made available in the live archive. URLs from City Research Online may be freely distributed and linked to from other web pages. Versions of research The version in City Research Online may differ from the final published version. Users are advised to check the Permanent City Research Online URL above for the status of the paper. Enquiries If you have any enquiries about any aspect of City Research Online, or if you wish to make contact with the author(s) of this paper, please email the team at [email protected]. Context-Aware Attribute-Based Techniques for Data Security and Access Control in Mobile Cloud Environment A Thesis Submitted to City University London, School of Engineering and Mathematical Sciences In
  • Beyond X.509: Token-Based Authentication and Authorization for HEP

    Beyond X.509: Token-Based Authentication and Authorization for HEP

    Beyond X.509: Token-based Authentication and Authorization for HEP Andrea Ceccanti, Marco Caberletti, Enrico Vianello, Francesco Giacomini INFN CNAF CHEP 2018 Sofia, July 12th 2018 The current WLCG AAI In operation since ~2003, and still working nicely: • X.509 trust fabric provided by IGTF (tells services which CAs are trusted) • X.509 certificates provided to users for authentication • Proxy certificates for Single Sign-On (SSO) and delegation • VOMS attribute certificates for attribute-based authorization (issued and Slide by Ákos Frohner signed by VO-scoped VOMS servers) Beyond X.509: Token-based Authentication & Authorization for HEP - CHEP 2018, Sofia 2 Current WLCG AAI: the weak points Usability • X.509 certificates are difficult to handle for users • VOMS does not work in browsers Inflexible authentication • Only one authentication mechanism supported: X.509 certificates • Hard to integrate identity federations Authorization tightly bound to authentication mechanism • VOMS attributes are inherently linked to an X.509 certificate subject Ad-hoc solution • We had to invent our own standard and develop ad-hoc libraries and central services to implement our own AAI Can we do better today? Beyond X.509: Token-based Authentication & Authorization for HEP - CHEP 2018, Sofia 3 A novel AAI for WLCG: main challenges Authentication Delegation • Flexible, able to accomodate • Provide the ability for services to various authentication mechanisms act on behalf of users - X.509, username & password, • Support for long-running EduGAIN, social logins
  • Digital Identity

    Digital Identity

    Building Trusted & Resilient DIGITAL IDENTITY JULY 2019 Business Roundtable CEO members lead companies with more than 15 million employees and $7.5 trillion in revenues. The combined market capitalization of Business Roundtable member companies is the equivalent of over 27 percent of total U.S. stock market capitalization, and Business Roundtable members invest nearly $147 billion in research and development — equal to over 40 percent of total U.S. private R&D spending. Our companies pay $296 billion in dividends to shareholders and generate $488 billion in revenues for small and medium-sized businesses. Business Roundtable companies also make more than $8 billion in charitable contributions. Learn more at BusinessRoundtable.org. Copyright © 2019 by Business Roundtable Building Trusted & Resilient DIGITAL IDENTITY JULY 2019 CONTENTS Introduction 2 Digital Identity Today: Promise & Challenges 3 A Vision for the Future: Objectives for Improving Digital Identity 6 An Action Plan to Establish Trust & Resiliency in Digital Identity 8 Conclusion 13 Appendix: Primer on Digital Identity 14 Endnotes 18 Building Trusted and Resilient Digital Identity 1 Introduction The ability of individuals to recognize and use creative and sophisticated tools to stay a step ahead. As a result, illegitimate identity may trust each other plays a fundamental role in well be the likeliest path for fraud and other cybersecurity intrusions. economic and social interactions. Yet having a digital identity is more than a data Before the digital age, identification systems protection and security mechanism — it enables relied upon physical documents and face-to-face individual users and institutions to establish an interactions. The internet and the proliferation appropriate level of trust to transact and interact of internet-enabled devices have dramatically in the digital world, including activities ranging changed the interplay between individuals and from banking to health care to social media.
  • OK: Oauth 2.0 Interface for the Kerberos V5 Authentication Protocol

    OK: Oauth 2.0 Interface for the Kerberos V5 Authentication Protocol

    OK: OAuth 2.0 interface for the Kerberos V5 Authentication Protocol James Max Kanter Bennett Cyphers Bruno Faviero John Peebles [email protected] [email protected] [email protected] [email protected] 1. Problem Kerberos is a powerful, convenient framework for user authentication and authorization. Within MIT, Kerberos is used with many online institute services to verify users as part of Project Athena. However, it can be difficult for developers unfamiliar with Kerberos development to take advantage of its resources for use in third-party apps. OAuth 2.0 is an open source protocol used across the web for secure delegated access to resources on a server. Designed to be developer-friendly, OAuth is the de facto standard for authenticating users across sites, and is used by services including Google, Facebook, and Twitter. Our goal with OK Server is to provide an easy way for developers to access third-party services using Kerberos via OAuth. The benefits of this are twofold: developers can rely on an external service for user identification and verification, and users only have to trust a single centralized server with their credentials. Additionally, developers can request access to a subset of Kerberos services on behalf of a user. 2. Implementation overview Our system is composed of two main components: a server (the Kerberos client) to retrieve and process tickets from the MIT KDC, and an OAuth interface (the OAuth server) to interact with a client app (the app) wishing to make use of Kerberos authentication. When using our system, a client application uses the OAuth protocol to get Kerberos service tickets for a particular user.
  • Identity Management, Privacy, and Price Discrimination

    Identity Management, Privacy, and Price Discrimination

    Identity Management Identity Management, Privacy, and Price Discrimination In economics, privacy is usually discussed in the context of consumer preferences and price discrimination. But what forms of personal data privacy are compatible with merchants’ interests in knowing more about their consumers, and how can identity management systems protect information privacy while enabling personalization and price discrimination? ALESSANDRO n the economics literature, privacy is usually dis­ or her purchas­ ACQUISTI cussed in the context of consumer preferences ing history. Carnegie and reservation prices: merchants are interested Identity management systems can support such Mellon in finding out a consumer’s preferences because selective information revelation strategies by giving University Ifrom those they can infer the consumer’s maximum consumers greater control over which identities are willingness to pay for a good (his reservation price). established, which attributes are associated with them, The ability to identify consumers and track their pur­ and under what circumstances they’re revealed to oth­ chase histories, therefore, lets merchants charge prices ers. Therefore, such systems allow for transactions in that extract as much surplus as possible from the sale, which some level of information sharing is accompa­ which is what economists call price discrimination.1–3 nied by some level of information hiding. At the same In this context, consumer privacy concerns reduce to time, economic views of privacy that are more granu­ individuals’
  • Vmware Workspace ONE Access 20.01 Managing User Authentication Methods in Vmware Workspace ONE Access

    Vmware Workspace ONE Access 20.01 Managing User Authentication Methods in Vmware Workspace ONE Access

    Managing User Authentication Methods in VMware Workspace ONE Access JAN 2020 VMware Workspace ONE Access 20.01 Managing User Authentication Methods in VMware Workspace ONE Access You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com © Copyright 2020 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 2 Contents 1 Configuring Authentication in VMware Workspace ONE Access 5 2 User Auth Service Authentication Methods in Workspace ONE Access 8 Configuring Password (Cloud) Authentication in Workspace ONE Access 9 Configure Password (Cloud) Authentication with Your Enterprise Directory 10 Configuring RSA SecurID (Cloud) For Workspace ONE Access 13 Prepare the RSA SecurID Server 13 Configure RSA SecurID Authentication in Workspace ONE Access 14 Configuring RADIUS for Workspace ONE Access 16 Prepare the RADIUS Server 16 Configure RADIUS Authentication in Workspace ONE Access 16 Enable User Auth Service Debug Logs In Workspace ONE Access Connector 19 3 Configuring Kerberos Authentication In Workspace ONE Access 21 Configure and Enable Kerberos Authentication in Workspace ONE Access 21 Configuring your Browser for Kerberos 23 Configure Internet Explorer to Access the Web Interface 23 Configure Firefox to Access the Web Interface 24 Configure the Chrome Browser to Access the Web Interface 25 Kerberos Initialization Error in Workspace ONE Access 26 4 Associate Workspace ONE Access Authentication Methods