Identity Access Management

Dated May 28, 2023; last modified on Sun, 28 May 2023

(Based on the table of contents in https://auth0.com/intro-to-iam)

Authentication refers to granting the user (or an application acting on behalf of a user) credentials to access a given resource. I don’t know the difference between SAML, OAuth, and OpenID. I’ve seen OAuth used when granting apps access to other apps, e.g., granting Netlify and OAuth token for accessing a Github repository.

Of the authentication methods, I’m familiar with Single-Sign On (SSO), and Multi-Factor Authentication (MFA). I don’t know about Passwordless Authentication. SSO occurs when say signing into accounts.microsoft.com grants you access to office.microsoft.com, tasks.microsoft.com, etc.; presumably the SSO token should work on *.bing.com given that microsoft.com and bing.com are owned by the same entity? Not sure how cross-domain SSO works though. MFA refers to requiring a second form of authentication, e.g., entering a password, and also validating a prompt sent to your phone; the idea is that it’s less likely for the attacker to have access to both authentication methods. Passwordless seems like it’d cover alternate methods like biometrics that are available on newer computers and phones.

On the difference between authentication and authorization, the former might be more active, i.e., an authenticated user has made an effort to access a resource. An authorized user seems more passive, e.g., a manager is authorized to view a report’s records, but the manager would need to prove themselves (authenticate) before access can be granted. Role-Based Access Control (RBAC) sounds like a design perspective where permissions are defined in terms of role groups, e.g., to grant permission to a user, that user is added to an appropriate role group, which transitively grants them access. I’ve seen RBACs in cloud platforms like AWS, e.g., a database having a read/write group, read-only group, etc.

Authentication is the act of identifying a user or a device. Authorization is the act of allowing or denying users and devices access rights. Authentication can be used as a factor in authorization decisions (e.g., presenting ID to a bank clerk also authorizes access to funds in your account). Authorization artifacts might not be useful to identify users or devices.

Authentication Methods

Username and password combination is the most popular authentication factor. However, it comes with pitfalls like weak passwords, reused passwords, stolen passwords e.g., phishing, security breaches, etc.

Authentication factors are classified into something you know, e.g., a username-password combo, something you have, e.g., a one-time code sent to a phone, and something you are, e.g., biometrics. Multi-Factor Authentication (MFA) uses more than one factor from different classes, e.g., Two-factor authentication (2FA) may employ username & password, and text code to the phone. Passwordless Authentication uses authentication factors from what you have and what you are, e.g., sending a Time-based One-Time-Password (TOTP) code via email.

Single-Sign On allows multiple applications to use the same authentication session. SSO reduces risk by using fewer credentials (less reuse), and with MFA, that single, powerful, credential can be protected. If a user wants to access domain1.com, they’re redirected to the authentication server, domain3.com, where they authenticate; domain3.com stores a session cookie and redirects the browser to domain1.com with an auth artifact that domain1.com can exchange for a token that may be used to prove the user’s identity for subsequent access to domain1.com. If user accesses domain2.com in the same session, domain2 redirects to domain3, but domain3 uses the session cookie to skip the interactive login, and redirects the browser back to domain2 with an auth artifact that may be exchanged for a token.

Step-Up Authentication is a mechanism that relies on MFA to increase security in specific parts of an application, e.g., when trying to access resources that are more sensitive than others. This mechanism hopes to provide a better balance between user experience and data security.

Authentication and Authorization Standards

Security Assertion Markup Language (SAML 2.0) is an XML-based authentication protocol in which Identity Providers (IdP) exchange digitally signed XML documents (SAML Assertions) allowing an end-user to access a Service Provider (SP). The Relying Party (RP) is the service requesting and receiving data from the IdP. When a user tries to log into external.com, they get redirected to internal.com, an SSO page where they authenticate themselves, and then the user is redirected back to external.com with an SAML assertion proving their identity.

Open Authorization (OAuth 2.0) is a standard that provides consented access and restricts actions of what the client app can perform on resources on behalf of the user, without ever sharing the user’s credentials. Before OAuth 2.0 can be used, the Client acquires a client ID and a client secret from the Authorization Server in order to identify and authenticate itself when requesting an Access Token. The basic flow is:

  • When sending the authorization request sent to the authorization server, the client sends its client id, client secret, scopes, and the endpoint/redirect URI to send the Access Token or the Authorization Code to.
  • The authorization server authenticates the client and verifies that the requested scopes are permitted.
  • The system that owns the resources interacts with the authorization server to grant access.
  • The Authorization Server redirects back to the Client with either an Authorization Code or Access Token, and maybe a Refresh Token.
  • With the Access Token, the Client requests access to the resource from the Resource Server.

OpenID Connect (OIDC) utilizes OAuth 2.0 to verify the identity of a user to a client service. In particular, it uses a special scope value, openid, and uses the ID Token, which encapsulates the identity claims (e.g., persistent ID, email address, etc.) in JSON format.

While SAML and OpenID are both identity protocols, OpenID is relatively new and designed with web and mobile applications in mind. Although SAML is more mature and fully-featured, OIDC is relatively simple and especially attractive in consumer spaces where there are simpler requirements.

While SAML supports Single Sign-On, OAuth does not support SSO. That said, OAuth is frequently coerced into an authentication role, e.g., “sign in with a Facebook account.” SAML defines a token format and encryption, while OAuth2 doesn’t define a token format and relies on HTTPS.

References

  1. What is Authentication? Definition and uses. auth0.com . Accessed May 28, 2023.
  2. What is Single-Sign On (SSO) and how does it work? auth0.com . Accessed May 28, 2023.
  3. What is Multi-Factor Authentication (MFA)? auth0.com . Accessed May 28, 2023.
  4. What is SAML 2.0 and how does it work for you? auth0.com . Accessed May 28, 2023.
  5. What is OAuth 2.0 and what does it do for you? auth0.com . Accessed May 28, 2023.
  6. What is OpenID Connect and what do you use it for? auth0.com . Accessed May 28, 2023.
  7. What is OpenID vs SAML? Find out the differences. auth0.com . Accessed May 28, 2023.
  8. What is Authentication vs Authorization? - Auth0. auth0.com . Accessed May 28, 2023.
  9. What is SAML vs OAuth? Find out what's different - Auth0. auth0.com . Accessed May 28, 2023.