Authentication Protocols 정리

This post describes the types of Authentication protocols including LDAP, SAML, OAUTH and OIDC.
Minha Sohn's avatar
Oct 04, 2023
Authentication Protocols 정리
목차
LDAP (Lightweight Directory Access Protocol)
SAML (Secure Assertion Markup Language)
Backgrounds
Open industry standard created in the 1990s, before Internet took off! Still widely used today, and highly flexible
Created in the 2000s, assertion-based Federates identities to web applications
Use of Area
Directory platforms (Active Directory)
It’s widely use for SSO
Differences
Mostly used for the backed of user authentication, such as storing information about people and sharing for authentication purposes
Extends user credentials to the cloud and other web applications
Ultimate source of truth for user identities Run Efficient and high control on the systems, and gives it organizations a great deal of control over authentication and authorization Run it from the cloud reduces maintenance, complexity and total cost of ownership
Protocol for exchanging authentication between directories and web apps provision user access to web application through SCIM Historically paired with a core directory service Isn’t the source of truth, but it complements the directory by performing the identity and authentication process that’s necessary to log into web apps
Use cases
Used for authentications in Linux applications, such as openVPN, Docker, Jenkins Standalone authentications, firwa lls that don’t support radius

LDAP (Lightweight Directory Access Protocol)

  • One of the core authentication protocols that was developed for directory services
    • It has been used as a database of information, users, attributes about the users, or group membership privileges

Directory Service

  • 폴더를 생각하기 쉽지만, 데이터 관리에서 말하는 directory란 읽기 작업에 특화 되어 있는 많은 양의 데이터를 담은 정보 저장소라고 생각하면 된다.
    • 사전적 의미로, 체계적이고 조직적인 계획을 통해 정보를 질서정연하게 담은 정보 저장소로서 특정화된 데이터베이스 이며, 쓰기 작업 보다는 읽기 작업이 빈번한 서비스에 적합
  • 맨 처음 X.500이 데렉토리 서비스의 표준 프로토콜로 등장했고, 이는 OSI 7 계층의 application layer에 속하는 프로토콜로 정보 통신 서비스에 필요한 정보를 데이터베이스화하여 효율적으로 관리하고 사용자가 편리하게 접근할 수 있는 기능을 제공

Origin of LDAP

  • LDAP was developed to replace DAP called X.500 at the University of Michigan where Tim who is a co-inventor or the LDAP protocol
  • It was first introduces in 1003, and became the internet standard for directory services in 1997
  • LDAP also inspired the creation of OpenLDAP, the leading open source directory services platform
  • LDAP authentication will be a foundational element of identity management for years to come despite its age.

Basic LDAP Authentication and Common Challenges

  • To store core user identities (IDP) https://jumpcloud.com/blog/identity-provider-idp
    • LDAP directories can store user data and credentials, they can act as the source of truth for LDAP authentication.
    • User inputs their credentials via a system or application, which are then compared to those stored within the LDAP directory database. If they match, the user is authenticated and granted access.

How does LDAP authentication between a client and server work?

  • Client is an LDAP-ready system or application accessed by a user, and the server is the LDAP directory database
  • To authenticate, the client sends a bind request to the LDAP server along with the user’s identifier and password, which the client obtains when the user inputs their credentials.
  • If the user is submitted credentials match the credentials associated with their core user identity that is stored within the LDAP database, the user is authen.
  • If the credentials sent don’t match, the bind fails and access is denied.
notion image
① LDAP Application 이 LDAP API에 요청을 보냅니다.
② LDAP API는 Application에서 받은 요청을 LDAP 서버로 BER 인코딩 후 전송합니다.
③ LDAP 서버는  전송받은 데이터를 디코딩하여 요청을 확인 후 필요한 정보를 Backend에서 검색/추가/삭제를 실시합니다.
④ 요청한 작업이 완료되면 요청완료 정보(Result set)을 다시 BER 인코딩 후 전송하게됩니다.
⑤ LDAP API는 전송받은 정보(Result set)을 디코딩하여 LDAP Application에서 확인할 수있도록 출력해 줍니다.

SAML (Secure Assertion Markup Language)

  • It’s a standardized way to make single SSO possible (SAML assertion is a key aspect of this)
  • Messages between IDP and SP that confidently identify
    • who a user is pertinent information exists
    • what they authorized to access
    • security conditions such as the source of assertion and assure that assertions are valid
  • SAML assertion is written within XML schemas (Outlined in the SAML 2.0 Open Standard)

SAML Assertion Validator

  • Writing XML schemas can be a heavy lift for some organizations and may take time to debug
  • A built-in facility to troubleshoot user login errors
  • It will identify problems and assertions that are sent from IDP. (NOT identify login issues)
  • Does Authentik has assertion validator?

Assertion Statements

  • Statements are encapsulated within SAML assertion and provide significant flexibility for IAM (identity and access management)
  • Statements allow systems to interoperate across domain boundaries and make it possible to securely establish SSO for websites attribute-based user authentication and to secure web services
  • Authentication Statement
    • Generated by the system authenticating the user
    • Contains information about how authentication occurs
    • Logs information (including timestamps)
  • Attribute Statement
    • SAML has the capacity to relay information about users
    • For example, a user’s department or groups, whether they are part of a VIP group that may access a restricted system
    • Basic contact information exists here
  • Authorization Decision Statement
    • Outlines actions the user is entitled to perform
    • For example, accessing a particular web page or a secure area of an app
    • Limit access to sensitive materials
    • Other authentication protocols can’t limit access (OpenID Connect)

OAuth 2

  • Giving someone a special key and this key allow them to access specific information in another application
  • We control who gets access to our data without having to share password.
  • We can revoke that key anytime
  • JWT based, and can define the scope of access that applications have to accounts
    • You might be familiar with this as a general user when a third-party service asks for permission to access your Google account and outlines what assets within your account it will access.

OIDC

  • ID Token: 유저 정보에 한해서 접근 목적으로 사용
  • Access Token: 더 광범위한 범위에서 유저 정보 뿐만아니라, api 등 다른 정보들을 가져올 수 있다.

SCIM (System for Cross-domain Identity Management)

  • A common way to manage user accounts and privileges across apps
  • Company can automatically create, update, delete, or synchronizing changes accounts accross multile applications in real time via a single centralized system
  • REST and JSON based

Proxy Authentication

Forward Proxy

  • A forward proxy server that sits between a group of client machines and the internet.
  • Clients make requests to websites on the internet, the forward proxy act as a middleman, intercepts those requests and talks to web servers on behalf of the clients.
Why do we need this?
  • Protect client’s online identity
    • IP addresses of users are hidden from the servers.
    • Only the IP address of the forward proxy is visible to the server.
    • Therefore, it will be harder to trace back to the clients.
  • Bypass browsing restrictions
    • Governments, schools etcs use firewalls to restrict access to the internet.
    • By connecting to a forward proxy outside the firewalls, the client machine can potentially get around these restrictions.
    • It doesn’t always works as firewalls could block the connections to the proxy.
  • Block access to certain content

Reverse Proxy

  • A reverse proxy server that sits between internet and the web servers.
  • It intercepts the requests from clients and talk to the web server on behalf of the clients
Why do we need this?
  • protect a website
    • Website’s IP addresses are hidden behind the reverse proxy and are not revealed to t he clients.
    • It’s really harder to target a DDoS attack against a website.
  • Load blancing
    • Handling the traffic of milions of users every day is hard with a single server.
    • Reverse proxy can balance a large amount of incoming requests by distributing the traffic to a large pool of web servers and effectively preventing any single one of them from becoming overloaded.
    • It refers that reverse proxy can handle incoming traffic.
    • Such as Cloudflare, put reverse proxy servers all of the locations all around the world. This makes revers proxy closed to the users and at the same time provides a large amount of processing capacity.
  • Cache static contents
    • A piece of content could be cached on the reverse proxy for a period of time.
    • If the same piece of content is requested again from the reverse proxy, the locoally cached version could be quickly returned.
  • A reverse proxy can handle SSL encryption.
    • SSL handshake is computationally expensive.
    • A reverse proxy can free up the origin servers from these expensive operations.
    • Instead of handling SSL for all websites. a website only needs to handle SSL handshake from a small number of reverse proxy..
    •  
Share article

haccoon