A Framework To Implement OpenID Connect Protocol For Federated Identity Management In Enterprises Akshay Rasiwasia Information Security, master's level (120 credits) 2017 Luleå University of Technology Department of Computer Science, Electrical and Space Engineering Luleå University of Technology | Master Thesis Abstract Federated Identity Management (FIM) and Single-Sign-On (SSO) concepts improve both productivity and security for organizations by assigning the responsibility of user data management and authentication to one single central entity called identity provider, and consequently, the users have to maintain only one set of credential to access resources at multiple service provider. The implementation of any FIM and SSO protocol is complex due to the involvement of multiple organizations, sensitive user data, and myriad security issues. There are many instances of faulty implementations that compromised on security for ease of implementation due to lack of proper guidance. OpenID Connect (OIDC) is the latest protocol which is an open standard, lightweight and platform independent to implement Federated Identity Management; it offers several advantages over the legacy protocols and is expected to have widespread use. An implementation framework that addresses all the important aspects of the FIM lifecycle is required to ensure the proper application of the OIDC protocol at the enterprise level. In this research work, an implementation framework was designed for OIDC protocol by incorporating all the important requirements from a managerial, technical and security perspective of an enterprise level federated identity management. The research work closely follows the design science research process, and the framework was evaluated for its completeness, efficiency, and usability. Akshay Rasiwasia i Luleå University of Technology | Master Thesis Contents 1. Introduction .......................................................................................................................................... 1 1.1. Background ................................................................................................................................... 1 1.2. Problem Description ..................................................................................................................... 3 1.3. Knowledge Gap ............................................................................................................................. 3 1.4. Research Goal ............................................................................................................................... 4 1.5. Research Outcome ........................................................................................................................ 4 1.6. Structure of the Thesis .................................................................................................................. 4 1.7. Summary ....................................................................................................................................... 4 2. Literature Review .................................................................................................................................. 7 2.1. Literature Review Process ............................................................................................................. 7 2.2. Summary ....................................................................................................................................... 9 3. Foundation Concepts .......................................................................................................................... 11 3.1. Digital Identity Management ...................................................................................................... 11 3.2. Authentication ............................................................................................................................ 13 3.3. Authorization .............................................................................................................................. 13 3.4. Federated Identity Management (FIM) ...................................................................................... 13 3.5. Single Sign-On (SSO) .................................................................................................................... 15 3.6. Summary ..................................................................................................................................... 16 4. Key Issues in Identity Management .................................................................................................... 17 4.1. Identity Management & Privacy ................................................................................................. 17 4.2. Attribute Management ............................................................................................................... 18 4.3. Cloud and Identity Management ................................................................................................ 19 4.4. Security Attacks on Identity Management ................................................................................. 20 4.5. Logging out in FIM ....................................................................................................................... 22 4.6. Summary ..................................................................................................................................... 22 5. Existing Protocols and Solution ........................................................................................................... 25 5.1. Kerberos ...................................................................................................................................... 25 5.2. Security Assertion Markup Language (SAML) ............................................................................. 26 5.3. Shibboleth ................................................................................................................................... 28 5.4. OpenID ........................................................................................................................................ 29 5.5. OAuth .......................................................................................................................................... 29 5.6. Summary ..................................................................................................................................... 30 Akshay Rasiwasia ii Luleå University of Technology | Master Thesis 6. OpenID Connect for Enterprise FIM.................................................................................................... 31 6.1. OpenID Connect .......................................................................................................................... 31 6.2. Key features of OpenId Connect ................................................................................................. 31 6.3. OIDC Technical Specifications ..................................................................................................... 32 6.4. OIDC vs. SAML ............................................................................................................................. 34 6.5. Limitations of OIDC ..................................................................................................................... 35 6.6. Summary ..................................................................................................................................... 35 7. Methodology ....................................................................................................................................... 37 7.1. Research Method ........................................................................................................................ 37 7.2. Design Science Approach ............................................................................................................ 37 7.3. Research Method Realization ..................................................................................................... 38 7.4. Summary ..................................................................................................................................... 38 8. Requirements ...................................................................................................................................... 39 8.1. Choice of Method ....................................................................................................................... 39 8.2. Initial Requirements .................................................................................................................... 39 8.3. Requirement Processing ............................................................................................................. 41 8.4. Final requirements ...................................................................................................................... 42 8.5. Summary ..................................................................................................................................... 44 9. Design Implementation Framework for OIDC .................................................................................... 45 9.1. Choice of Method ....................................................................................................................... 45 9.2. Development Process ................................................................................................................