I had been involved with multiple Biometric ISV providers and its integration with Sun technologies particularly OpenSSO, IdM, Sun Rays and Solaris. I also had the opportunity to deploy Biometric solutions to few govt organizations that starts with “D” and “N”. Believe it or not…we have few of them in production.
Now, getting down to the specifics – Putting it all together, in simpler terms you will see the solution would look like this…..
Ofcourse the Desktop can be your PC or Sun Ray or anything that capable of running a browser and allows plugin a Biometric Fingerprint Scanner (USB device). If you look into the ingredients of this solution, you would need the following:
- OpenSSO Enterprise 8
- Glassfish V2 Enterprise (Configured to use NSS for FIPS mode)
- BiObex Middleware (Biometric enrollment and authentication provider)
- SecuGen Hamster IV (FIPS-201) or Hamster Plus Fingerprint Scanners.
- BiometricLoginModule (Currently made available through BiObex).
- OpenSSO policy agent (based on your target web container) to help enforce authentication on your protected resources.
For those curious to know ….and concerned about security of using Biometrics as a network credential…here is my answer to those known security issues.
- The communication, callbacks and biometric samples acquired from the device (In transit to the JAAS LoginModule and then to Biometric authentication provider) has been cryptographically protected ensuring a trusted path with both transport and message-level security (as per FIPS-140 requirements). This ensures end-to-end confidentiality and integrity of the messages/communication and thwarts image capture, rogue injection and replay attacks.
- The user session is verified for proof-of-origin that includes host verification and validation for known IPs and hostnames.
- The deployment requires authentication chain with username/password or Certificate authentication (ex. Smartcard PKI) modules to ensure Biometric authentication is used as a second or third factor of the authentication.
- OpenSSO callbacks prompt for random fingerprints as enrolled in BiObex.
Understanding Biometric SSO
Biometric SSO allows users to access multiple applications (for example, Java EE or Web portal applications) after doing a single biometric authentication. In this case, the biometric authentication is managed by the identity provider infrastructure (ex. OpenSSO) that provides single sign-on services to support participating applications (protected resources). The identity provider encapsulates and protects access by making use of pluggable authentication modules (including a JAAS LoginModule for the Biometric authentication provider) from authentication providers. Upon authentication, the identity provider issues an SSO token that is trusted by all participating applications. This means the identity provider grants or denies access to the secured application or resource by issuing an SSO token that represents the user’s sign-on and session information. All participating applications trust the SSO token issued by the identity provider and grant the caller request to proceed for further processing based on the policies and privileges.
OpenSSO provides JAAS based authentication framework for plugging in JAAS LoginModules (from authentication providers) and also allows enabling multi-factor authentication through OpenSSO authentication chaining and session upgrade features. Refer to OpenSSO Administrator guide for the finer details.
Few weeks ago, I posted another entry on Match-to-Smartcard PKI and Biometric authentication which is a different solution that makes use of Biometric information (CBEFF) stored on a PIV card. I am still working on the documentation….will keep you posted very soon.