Copyright ©2013 Ping Identity Corporation. All rights reserved.1
Identity at Scale
Hans Zandbelt
CTO Office – Ping Identit...
Copyright ©2013 Ping Identity Corporation. All rights reserved.2
•  Trends and Standards
•  Identity at Scale
•  Recommend...
Copyright ©2013 Ping Identity Corporation. All rights reserved.3
Trends
•  Cloud (SaaS), Mobile,
Social
–  Authentication:...
Copyright ©2013 Ping Identity Corporation. All rights reserved.4
•  Standards
–  Interoperability: need to deal with anoth...
Copyright ©2013 Ping Identity Corporation. All rights reserved.5
IDENTITY AT SCALE
Copyright ©2013 Ping Identity Corporation. All rights reserved.6
1-1 Federated Identity Today
•  Increase of Cloud/SaaS
ad...
Copyright ©2013 Ping Identity Corporation. All rights reserved.7
•  Metadata related (not so standard for other-than-SAML
...
Copyright ©2013 Ping Identity Corporation. All rights reserved.8
Metadata - SAML 2.0
•  Technical Trust
•  X.509 Certifica...
Copyright ©2013 Ping Identity Corporation. All rights reserved.9
Connection Management Metadata/Technical Issues
•  Conn M...
Copyright ©2013 Ping Identity Corporation. All rights reserved.10
Contrary to popular belief:
The connection management pr...
Copyright ©2013 Ping Identity Corporation. All rights reserved.11
TOWARDS A SOLUTION
What can we do?
Copyright ©2013 Ping Identity Corporation. All rights reserved.12
Solution Approach (n=2): Shared Conn. Mgmt.
•  Single/ce...
Copyright ©2013 Ping Identity Corporation. All rights reserved.13
A shared service… where does it apply?
•  intra-enterpri...
Copyright ©2013 Ping Identity Corporation. All rights reserved.14
A Next Step In Architecture Evolution…
Application Serve...
Copyright ©2013 Ping Identity Corporation. All rights reserved.15
Solution 1: Proxy
•  Indirect peer-to-peer
communication...
Copyright ©2013 Ping Identity Corporation. All rights reserved.16
Benefits
•  Scalability of trust
–  Technical: single
co...
Copyright ©2013 Ping Identity Corporation. All rights reserved.17
Solution 2: Metadata Service
•  aka. multi-party
federat...
Copyright ©2013 Ping Identity Corporation. All rights reserved.18
Distribution variants (SAML 2.0 metadata)
•  Flat file b...
Copyright ©2013 Ping Identity Corporation. All rights reserved.19
Metadata Expiry (!)
•  Attributes on Entity and
Entities...
Copyright ©2013 Ping Identity Corporation. All rights reserved.20
Benefits
•  Scalability of trust
–  Technical: removes
n...
Copyright ©2013 Ping Identity Corporation. All rights reserved.21
Metadata Service layering: interfederation
Interfederati...
Copyright ©2013 Ping Identity Corporation. All rights reserved.22
•  MDUI
–  SAML version 2.0 Metadata Extensions for Logi...
Copyright ©2013 Ping Identity Corporation. All rights reserved.23
Taxonomy + Examples
External
Internal
Model
Proxy Metada...
Copyright ©2013 Ping Identity Corporation. All rights reserved.24
•  Proxy
–  PingOne
–  wayf.dk
•  Metadata Service
–  In...
Copyright ©2013 Ping Identity Corporation. All rights reserved.25
OpenID Connect Metadata (OP and RP)
•  Metadata and key
...
Copyright ©2013 Ping Identity Corporation. All rights reserved.26
RECOMMENDATIONS
Copyright ©2013 Ping Identity Corporation. All rights reserved.27
•  The problem is not protocol specific (!)
–  Any solut...
Copyright ©2013 Ping Identity Corporation. All rights reserved.28
•  Registration and publishing service for “endpoint”
me...
Copyright ©2013 Ping Identity Corporation. All rights reserved.29
Future? Not so much!
•  Identity is/as KEY
–  not just u...
Copyright ©2013 Ping Identity Corporation. All rights reserved.30
Thank You
Q&A
@hanszandbelt
Ping Identity
Upcoming SlideShare
Loading in …5
×

CIS13: Identity at Scale

746 views
590 views

Published on

Hans Zandbelt, Technical Architect, Ping Identity
As the numbers and types of applications, devices and users grow, enterprise businesses face scalability challenges in dealing with Identity and Access Management (IAM) and federated Single Sign On (SSO) across web, mobile, enterprise and cloud environments. This session analyzes major issues that impact IAM and SSO scalability and explores possible approaches to address these issues.
Topics include:
· Trends and drivers for next generation identity and access management
· A bird's eye view of new standards for IAM across web and mobile
· Approaches for managing federated SSO on an Internet scale

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
746
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
41
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

CIS13: Identity at Scale

  1. 1. Copyright ©2013 Ping Identity Corporation. All rights reserved.1 Identity at Scale Hans Zandbelt CTO Office – Ping Identity CIS 2013
  2. 2. Copyright ©2013 Ping Identity Corporation. All rights reserved.2 •  Trends and Standards •  Identity at Scale •  Recommendations Contents
  3. 3. Copyright ©2013 Ping Identity Corporation. All rights reserved.3 Trends •  Cloud (SaaS), Mobile, Social –  Authentication: SAML -> +OpenID Connect •  Web -> API –  Core business: information and data, not presentation •  Internet of Things •  Mutual authentication? –  controlling other cars, toasters, lightbulbs
  4. 4. Copyright ©2013 Ping Identity Corporation. All rights reserved.4 •  Standards –  Interoperability: need to deal with another vendor’s API/ product? Not an app for every thing in the IoT! –  cross-domain –  competition, replaceable implementations, leading to good but cheap products? •  APIs –  Light-weight, SOAP -> REST/OAuth 2.0 •  Web SSO –  Enterprise/Customer Identity, Consumer Identity –  SAML -> OpenID Connect : scale? •  OpenID Connect –  Simplicity for clients/RPs -> complexity shifted to the OP Standards (the nice thing is…)
  5. 5. Copyright ©2013 Ping Identity Corporation. All rights reserved.5 IDENTITY AT SCALE
  6. 6. Copyright ©2013 Ping Identity Corporation. All rights reserved.6 1-1 Federated Identity Today •  Increase of Cloud/SaaS adoption –  # federated SSO applications (SAML) –  # partner connections –  # connection management overhead (*) •  But(!) also for “incidental” connections –  How to obtain updates •  Authoritative source -> trust •  Infrastructure: authenticated source (e-mail…) –  How to configure them •  Automated •  Managed, outsourced IDP IDP IDP SP SP SP
  7. 7. Copyright ©2013 Ping Identity Corporation. All rights reserved.7 •  Metadata related (not so standard for other-than-SAML protocols) –  key material –  SSO service URLs –  point of contact •  Attributes –  could be metadata, often isn’t –  may be bilateral (!) –  required/optional, consent •  Policies –  contractual agreements –  privacy •  End-user/application/SSO related –  how users can sign in (relation to service URLs) –  change in look and feel –  change in functionality (*) Connection Management <md>
  8. 8. Copyright ©2013 Ping Identity Corporation. All rights reserved.8 Metadata - SAML 2.0 •  Technical Trust •  X.509 Certificate –  Anchored vs. unanchored –  Key vs. other cert info •  URLs/Bindings •  Contact info –  Company name, admin/tech contact <md:EntityDescriptor! xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"! xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"! xmlns:ds="http://www.w3.org/2000/09/xmldsig#"! entityID="https://idp.example.org/SAML2">! ! <!-- insert ds:Signature element -->! ! <md:IDPSSODescriptor! protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">! ! <md:KeyDescriptor use="signing">! <ds:KeyInfo>…</ds:KeyInfo>! </md:KeyDescriptor>! ! <md:SingleSignOnService! Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"! Location="https://idp.example.org/SAML2/SSO/POST"/>! <md:SingleSignOnService! Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"! Location="https://idp.example.org/SAML2/Artifact"/>! ! </md:IDPSSODescriptor>! ! <md:Organization>! <md:OrganizationName xml:lang="en">! SAML Identity Provider ! </md:OrganizationName>! <md:OrganizationURL xml:lang="en">! http://www.idp.example.org/! </md:OrganizationURL>! </md:Organization>! ! <md:ContactPerson contactType="technical">! <md:SurName>SAML IdP Support</md:SurName>! <md:EmailAddress>mailto:saml-support@idp.example.org</ md:EmailAddress>! </md:ContactPerson>! ! </md:EntityDescriptor>!
  9. 9. Copyright ©2013 Ping Identity Corporation. All rights reserved.9 Connection Management Metadata/Technical Issues •  Conn Mgmt often a one-shot process (cq. a snapshot) •  Certificate expiry and update •  Contact info update •  URL and binding updates •  Changes in IDP discovery process •  Metadata documents can contribute to the solution, but how to scale exchange? Key Rollover Contact Info Bindings & URLs
  10. 10. Copyright ©2013 Ping Identity Corporation. All rights reserved.10 Contrary to popular belief: The connection management problem is NOT specific to SAML; any federated authentication system deployed on true internet scale will have to address this issue. So: any solution should be protocol agnostic. BE AWARE
  11. 11. Copyright ©2013 Ping Identity Corporation. All rights reserved.11 TOWARDS A SOLUTION What can we do?
  12. 12. Copyright ©2013 Ping Identity Corporation. All rights reserved.12 Solution Approach (n=2): Shared Conn. Mgmt. •  Single/central/shared point of connection management (trust) •  Trusted 3rd party –  From: user trust scale through 2nd party to SP/IDP trust through 3rd-party •  Compares to TLS and a Certificate Authority or DNS •  Challenge –  How to create a trusted channel Shared Service IDP IDP IDP SP SP SP
  13. 13. Copyright ©2013 Ping Identity Corporation. All rights reserved.13 A shared service… where does it apply? •  intra-enterprise –  large distributed organizations, both infrastructure and responsibilities/trust (acquisitions and mergers) –  connect multiple applications to a variety of externals & internals; “user access firewall” •  inter-enterprise –  verticals: healthcare, automotive, banking/ financial, education but also "cross e-Gov” –  homogeneous(!) group with shared interest/organization IDP SP IDP SP IDP SP IDP SP
  14. 14. Copyright ©2013 Ping Identity Corporation. All rights reserved.14 A Next Step In Architecture Evolution… Application Server App 1 Fed Fed Fed App 2 App 3 App Server or Access System App 1 Federation App 2 App 3 App Server App 1 Federation Server App 2 App 3 App Server App Srv App 1 Fed Server App 2 App Srv Connection Management App Server App 3 Fed Fed App 4 1 2 3 4
  15. 15. Copyright ©2013 Ping Identity Corporation. All rights reserved.15 Solution 1: Proxy •  Indirect peer-to-peer communication •  Trust proxy only, relay to peers, inband •  Shift the metadata problem to a central facility: no distr. mgmt •  Technical trust may be combined with organizational trust •  Connection Mgmt –  MxN -> M+N •  Accommodate for diff SAML implementations •  Protocol translations are possible Operator IDP IDP IDP SP SP SP SAML Proxy SP-IDP SAML
  16. 16. Copyright ©2013 Ping Identity Corporation. All rights reserved.16 Benefits •  Scalability of trust –  Technical: single connection to proxy, central management of partner connections –  Organizational: trust in proxy operator •  Updates –  outsourced to the proxy; proxy to solve… •  Discovery & Autoconf –  Outsourced to the proxy; proxy to solve… Centralized Trust Mgmt Updates Discovery & Autoconf
  17. 17. Copyright ©2013 Ping Identity Corporation. All rights reserved.17 Solution 2: Metadata Service •  aka. multi-party federation •  Higher Education & Research –  InCommon, UK Access Federation –  40+ across the world •  Business Verticals –  Healthcare –  Finance –  e-Gov •  Async technical trust •  Sync direct peer-to- peer communication •  Metadata upload (!) Federation Operator IDP IDP IDP SP SP SP SAML Metadata
  18. 18. Copyright ©2013 Ping Identity Corporation. All rights reserved.18 Distribution variants (SAML 2.0 metadata) •  Flat file based (classic) –  > 10 Mb files for large federations (EntitiesDescriptor) •  Query-based (MDX) •  Well known location for metadata –  EntityID-is-URL-to- Metadata –  SAML auto-connect (Ping Identity) •  DNS based (registry) •  Trust 1.  signed metadata 2.  trusted registry 3.  SSL CA IDP SP IDP SP IDP SP IDP SP IDP IDP D N S IDP D N S 1 2 3
  19. 19. Copyright ©2013 Ping Identity Corporation. All rights reserved.19 Metadata Expiry (!) •  Attributes on Entity and Entities level: validUntil and cacheDuration •  On EntitiesDescriptor and EntityDescriptor level •  use only validUntil to enforce expiration •  use cacheDuration to override (downward) the refresh interval •  keep using (valid) metadata if the refresh fails d! t1! t1+d! t1+2d! v=t2! t2+d! t2+2d! d = cacheDuration (interval)! v = validUntil (timestamp)! d!
  20. 20. Copyright ©2013 Ping Identity Corporation. All rights reserved.20 Benefits •  Scalability of trust –  Technical: removes need to exchange metadata on peer-to- peer basis –  Organizational: federation operator does IDP and SP vetting through contractual agreements •  Key rollover –  Include multiple signing keys for a <validUntil> period •  Discovery and auto- configuration –  Building block… Scalability of Trust Key Rollover Discovery & Autoconf
  21. 21. Copyright ©2013 Ping Identity Corporation. All rights reserved.21 Metadata Service layering: interfederation Interfederation Operator IDP IDP SP SP IDP IDP SP SP Metadata Metadata Aggregated Metadata
  22. 22. Copyright ©2013 Ping Identity Corporation. All rights reserved.22 •  MDUI –  SAML version 2.0 Metadata Extensions for Login and Discovery User interface, version 1.0 •  Entity attributes –  SAML V2.0 Metadata Extension for Entity Attributes Version 1.0 –  Generic extension point •  Signed Entity Attributes –  Single source of metadata, support multiple trust levels or hierarchies •  Other protocols –  SAML 1.0, SAML 1.1 –  WS-Federation (ADFS 2.0) –  OpenID 2.0 –  OpenID Connect (?) -> independent registry or attr SAML 2.0 Metadata extensions
  23. 23. Copyright ©2013 Ping Identity Corporation. All rights reserved.23 Taxonomy + Examples External Internal Model Proxy Metadata IDMaaS (PingOne) Federation (InCommon) Proxy (PingFed`) “Metadata Server” Deployment
  24. 24. Copyright ©2013 Ping Identity Corporation. All rights reserved.24 •  Proxy –  PingOne –  wayf.dk •  Metadata Service –  InCommon –  UK Access Federation Any SAML product implementation today may or not support one or both models, in the core or through customizations. Solution Examples for SAML 2.0
  25. 25. Copyright ©2013 Ping Identity Corporation. All rights reserved.25 OpenID Connect Metadata (OP and RP) •  Metadata and key material separated •  Use HTTP cache info for the JWK set (optional) •  Multiple keys with “kids” – JIT: client fetches kid if unknown •  Client updates keys with OP through DynReg OPRP JWK set metadata JWK set metadata Metadata Service Dynamic Client Registration
  26. 26. Copyright ©2013 Ping Identity Corporation. All rights reserved.26 RECOMMENDATIONS
  27. 27. Copyright ©2013 Ping Identity Corporation. All rights reserved.27 •  The problem is not protocol specific (!) –  Any solution should be multi-protocol enabled or rather protocol agnostic •  A shared service, two possible approaches –  Metadata Service (“automate”) or Proxy (“outsource”) •  True Internet scale? Expect combinations (!) –  Local/enterprise/community: proxy based –  Protocol Translation: proxy –  Global: (interconnected) metadata service based Recommendations
  28. 28. Copyright ©2013 Ping Identity Corporation. All rights reserved.28 •  Registration and publishing service for “endpoint” metadata –  Multi-protocol: both SAML 2.0 and OpenID Connect (OPs) •  Technical Trust –  authenticated, trusted source •  Discovery –  multiple entities on a single OIDC domain –  Entities that cannot or will not host their own metadata –  Replace well-known URL starting point •  Validation •  Certification Metadata Service
  29. 29. Copyright ©2013 Ping Identity Corporation. All rights reserved.29 Future? Not so much! •  Identity is/as KEY –  not just users, but also devices and applications •  Unified access policy implementation across web and APIs/Mobile –  Based on identity •  Enterprise: –  Single System -> Identity Bridge •  Identity Bridge –  Bridge external SAML and OpenID Connect to internal OpenID Connect (both ends standardized)
  30. 30. Copyright ©2013 Ping Identity Corporation. All rights reserved.30 Thank You Q&A @hanszandbelt Ping Identity

×