Just what is Identify Federation?
I always describe it as being like a driver’s license in the U.S. There is no national driver’s license, every state (plus the District of Columbia for the nation’s capital, plus Caribbean and Pacific territories) issues its own. They are, however, recognized from one state to another. I could use my Indiana license to rent a car in California, and if I violated the local traffic laws, the California police would communicate with my state to check its validity and report what I had gotten up to. The TSA may not realize that a Washington D.C. license is a valid U.S. document, but that’s another matter.
In order to federate identities across multiple domains on the Internet, we need a mechanism and communication protocol. OAuth and OpenID are the major choices.
Last year I told you how OAuth’s creator has abandoned the protocol due to problems with security and interoperability, so we know we must be careful.
Many web sites have a Covert Redirect vulnerability. This is related to OAuth 2.0 and OpenID, but it is important to realize that the vulnerability is in the coding of those sites, it is not in the protocols themselves.
Here’s what’s going on.
Let’s say you have designed a web site on which you require that your users authenticate themselves. You decided that it would be difficult, and therefore a little risky, security-wise, to implement your own authentication from scratch. I agree!
There are third-party cloud-based authentication services out there, prominent examples include RSA Federated Identity Manager, CA CloudMinder, and Ping Identity. You have to pay to use those, but you are getting quality services from top-tier security vendors.
Some people think it’s a good idea to turn authentication over to Facebook, Twitter, and Google, because “everybody uses those” and it’s free. OK…
You aren’t getting the RSA/CA/Ping/etc level of support and help with the API for your site, so here is where the risk increases.
An open redirect on any of your pages can lead to the loss of control of a user identity on your site.
A detailed technical description of the vulnerability and how to avoid it is beyond the scale of what I can do in this blog, but there is no need as Danny Thorpe has written a great explanation.
This is web programming that must be done carefully, so this is a challenge. In Learning Tree’s Cloud Security Essentials course we discuss how PaaS APIs provide environments in which things can be done securely.
But how many organizations have the skill in-house to design, implement, and validate secure systems? I think this is why the PaaS market lags far behind SaaS (“Instant gratification!”) and IaaS. (“Let me get my hands on everything!”)