0
Nomura Research Institute	
Cloud Identity Summit 2013	
OpenID Connect:
How it solves your problems	
July 10, 2013
Nat Saki...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
B2E Identity	
B2C Identity	
G2C Ide...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
?	
"Why OpenID Connect is relevant
...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
Not quite.
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
OpenID
Connect was
built Enterprise...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
Q	
What are the de facto federation...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
Identity Federation	
• agreement be...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
Identity
Federation	
• SAML? 	
Acco...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
Identity
Federation	
• Password
Sha...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
Q	
Why did we fail?
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
n Too complex to understand.
l co...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
CSV is easy. 	
• Hey, you just
need...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
Lots of (hidden) problems…
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
n Anything that more than 3 people...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
Let’s re-do.
This time, dead simple...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
OpenID Connect
& SCIM
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
identity
set of attributes related ...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
An example of simplistic enterprise...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
Employee number: A12349898	
Name: J...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
Account	
 Role	
 PEP	
 Resource
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
Identity	
 PEP	
 Resource	
Rules
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
Based on SP800-162 figure on page v...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
R1	
 • Access Control MUST be done ...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
Let’s re-do.
This time, dead simple...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
SAML v.s. OpenID Connect	
SAML Web ...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
OpenID Foundation Japan’s
Enterpris...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
Deployment Experiences
of OpenID Co...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
Easy to implement 	
• Good!	
Nice u...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
Make sure to follow verification ru...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
Care should be taken for “code”
and...
© 2013 by Nomura Research Institute. All rights reserved. 	
Nomura Research Institute	
Big Picture ~ Transient Situation	
...
Upcoming SlideShare
Loading in...5
×

CIS13: OpenID Connect: How it Solves your Problems

816

Published on

Nat Sakimura, Senior Researcher, Information Tech. Research Dept, Nomura Research Institute
OpenID Connect is an identity layer on top of OAuth 2.0 Authorization Framework. This session gives an overview of the underlying concept and how it can help you solve your problems.

Published in: Technology, Health & Medicine
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
816
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
32
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "CIS13: OpenID Connect: How it Solves your Problems"

  1. 1. Nomura Research Institute Cloud Identity Summit 2013 OpenID Connect: How it solves your problems July 10, 2013 Nat Sakimura Nomura Research Institute Chairman, The OpenID Foundation
  2. 2. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute B2E Identity B2C Identity G2C Identity (source of pictures)Microsoft Office Online G2E Identity
  3. 3. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute ? "Why OpenID Connect is relevant for us enterprise? It's a consumer technology, is it not?"
  4. 4. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Not quite.
  5. 5. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute OpenID Connect was built Enterprise use in mind (as well as consumer use); OpenID Connect helps you build effective access governance over cloud services
  6. 6. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Q What are the de facto federation and account provisioning protocols?
  7. 7. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Identity Federation • agreement between two or more domains (3.2.3) specifying how identity information (3.2.4) will be exchanged and managed for cross- domain identification (3.2.1) purposes [iSO/IEC 24760-1] Account Provisioning • process of creating an account at the service for the user
  8. 8. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Identity Federation • SAML? Account Provisioning • SPML?
  9. 9. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute
  10. 10. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Identity Federation • Password Sharing Account Provisioning • Custom CSV
  11. 11. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Q Why did we fail?
  12. 12. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute n Too complex to understand. l cognitive difficulty -> Support difficulty n Different products do not interoperate. n A large Japanese manufacturer: l > 3000 partners all around the world l Some are quite small l Tried to do SAML
  13. 13. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute CSV is easy. • Hey, you just need Excel! And you can manually edit them! Password Sharing is easy. • Hey, it works on any application that supports password!
  14. 14. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Lots of (hidden) problems…
  15. 15. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute n Anything that more than 3 people knows is not a secret! n Can easily get out of sync. n De-provisioning? Archiving? n Are you getting audit trailing the access to those systems? n Etc.
  16. 16. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Let’s re-do. This time, dead simple.
  17. 17. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute OpenID Connect & SCIM
  18. 18. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute identity set of attributes related to an entity
 ISO/IEC 29115 | ITU-T X.1254 Note: distinguish identity and identifier carefully.
  19. 19. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute An example of simplistic enterprise “identity” Employee number: A12349898 Name: John Smith Position: General Manager Department: Finance Company: ABCD Holding Location: NYHQ Datetime: 29130809T12:34:11Z
  20. 20. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Employee number: A12349898 Name: John Smith Position: General Manager Department: Finance Company: ABCD Holding Location: NYHQ Datetime: 29130809T12:34:11Z logging User interface Access Control info
  21. 21. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Account Role PEP Resource
  22. 22. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Identity PEP Resource Rules
  23. 23. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Based on SP800-162 figure on page viii identity Resource Rules
  24. 24. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute R1 • Access Control MUST be done with the dynamic attributes R2 • Identity MUST be provided from the authoritative source R3 • Need to be able to provide flexible security. R4 • Need to be dead simple. R5 • Interoperability is the king. R6 • Limited connection (esp. mobile) ready. R7 • Unified technology for enterprise and consumer. R8 • Privacy Enhancing and voluntary
  25. 25. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Let’s re-do. This time, dead simple. Yes, we are reinventing a wheel, but This time, it will be a little rounder.
  26. 26. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute SAML v.s. OpenID Connect SAML Web SSO OpenID Connect XML JSON XML Dsig JSON Web Signature (JWS) XML Encryption JSON Web Encryption (JWE) SAML JSON Web Token SAML Assertion ID Token (OIDC) SOAP (mostly…) REST SAML Web SSO Profile Standard (=OAuth 2.0 binding) SPML SCIM
  27. 27. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute OpenID Foundation Japan’s Enterprise Identity WG Egawa-san!
  28. 28. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Deployment Experiences of OpenID Connect
  29. 29. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Easy to implement • Good! Nice user experience for enterprise users • No login dialogues – just depend on AD. • NRI has built an IIS plugin that works as OIDC server over implicit flow.
  30. 30. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Make sure to follow verification rules • Some implementation were bitten by not following MUSTs. Never send an access token without accompanying ID Token to any other clients.
  31. 31. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Care should be taken for “code” and “token” server-side verification • It will be bottlenecks in performance. • Make them as stateless as possible. • Depending on the risk profile, it may not need to re-check and just verify them locally. • Use memory db for revocation list.
  32. 32. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Big Picture ~ Transient Situation AD Etc. Connect Server Access Log Service Service Service
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×