Identity soup

678 views

Published on

When it comes to identity and access management (IAM) for your application, it's good to warm-up with a good cup of identity protocol soup. Key ingredients include SAML, OAuth, OpenID and OpenID Connect. In this session, learn how developers create world-class private and public applications that are secure, mobile and can be easily provisioned -- all leveraging these standards-based protocols.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
678
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
31
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Identity soup

    1. 1. Warm Up to Identity Protocol Soup David Waite Principal Technical Architect1 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    2. 2. Topics •What is Digital Identity? •What are the different technologies? •How are they useful? •Where is this space going?2 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    3. 3. Digital Identity3 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    4. 4. Concepts • Authentication / Authenticity –Is this entity (person/machine) who they say4 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    5. 5. Concepts • Attributes / Identity Information –My name is David Waite –I work for Ping Identity –I’ve been in the Identity Space for 10 years –My email address is dwaite@pingidentity.com5 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    6. 6. Introductions • Ping Identity –Focused on Identity standards –Enterprise and Consumer-oriented solutions –On-site software (PingFederate) –Identity as a Service offerings (PingOne)6 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    7. 7. Concepts • Authorization –What are the rules on who can do what • Access Control –Enforces whether you can or can’t do something7 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    8. 8. Concepts • The bundle of credentials, identifiers and attributes makes up the traditional idea of an “Account” • The services which work by the same system of accounts and authorization make up a “Security Domain”8 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    9. 9. SAML / In the Beginning9 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    10. 10. Simple App Application DB Login Content10 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    11. 11. Less Simple App Application Login Content DB Self- Password Registration Recovery11 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    12. 12. Uh-Oh Application Application Login Content Login Content DB Self- Self- Password Registration Registration Recovery12 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    13. 13. Reality (Simplified) Application Application Login Content Login Content Self- Self- Password Registration Registration Recovery DB Application Application DB DB Login Content Login Content Self- Password Self- Registration Recovery Registration13 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    14. 14. Supportability Issues • Multiple accounts • Different usernames and passwords • Varying support / recovery processes • Hard to change Authorization policy • Provisioning users is error-prone14 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    15. 15. Security Issues • Users may retain access to systems • Duplicated passwords and user info • Lack of auditing • Home-grown auth may be insecure • Difficult to switch to multi-factor15 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    16. 16. Architectural impact • Decomposing applications is hard • Difficult to mash up APIs –Data Silos • Code for authz policy changes • Rebuilding same components16 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    17. 17. Solution? • Identity and Access Management –Infrastructure shared by apps –Centralized resources and management • Examples: –Use LDAP for account attributes –Create groups representing authorizations rather than departments17 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    18. 18. Identity and Access Management • Single Authentication Mechanism –Transport: Client X.509, Kerberos –Domain cookie w/App Server Plugin –Authenticating Proxy in front of apps18 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    19. 19. Identity and Access Management • Central Authorization Policy • Set policy at HTTP resource level • Responsible for Access Control at resource level19 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    20. 20. Drawbacks • Time/TCO to retrofit existing apps • High cost of infrastructure upgrades • M&A often be a nightmare • There are no standards –huge amount of vendor lock-in.20 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    21. 21. Failings •Not always possible to support –COTS software –3rd Party / Hosted software21 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    22. 22. SAML22 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    23. 23. SAML • Security Assertion Markup Language • 1.0 in November 2002 • 2.0 in March 2005 “Securely Assert Identity Information”23 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    24. 24. SAML Roles • “Identity Provider” (IDP) –provides identity information • “Service Provider” (SP) –consumes identity information –provides access to services24 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    25. 25. SAML Pieces • Assertion –XML document –a signed and/or encrypted –containing identity information25 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    26. 26. SAML Parts • Protocol - messages built on assertions • Binding - sending protocol over the wire • Profile - combination to accomplish some use case26 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    27. 27. SAML Web SSO • Most popular profile is Web Browser Single Sign-On Profile • Use browser as a communication channel • Authenticates browser that delivers the message27 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    28. 28. SAML Web SSO Bridges Accounts for the different Security Domains28 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    29. 29. SAML Used by • Web Browser SSO Profile • WS-* (as token) • WS-Federation (as token) • OAuth 2 (as authentication mechanism)29 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    30. 30. OpenID30 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    31. 31. OpenID • Created by Brad Fitzpatrick in 2005 • Came out of blogging space –Don’t want to manage accounts just to let people comment on blog posts • Initially for Lower Assurance • Dynamically Managed relationships31 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    32. 32. OpenID • Your “username” is a URL • Your login proves ownership • Your identity/persona is that URL32 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    33. 33. OpenID - How it works • Relying Party –Similar role to SP, requests/relies on OpenID • OpenID Provider –Similar role to IDP, authenticates users33 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    34. 34. OpenID - How it works 1.User enters OpenID or selects OP at Relying Party* 2.RP figures out appropriate OP 3.Sends browser to OP so the user can prove who they are 4.OP sends authenticated user back to RP34 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    35. 35. Advantages • User-Centric Identity –user maintains control –determines who sees what • Can run infrastructure without coordination35 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    36. 36. Disadvantages • Users do not understand URLs • Hidden complexity in implementing • Interoperability is poor • Many sites are non-compliant • Some sites require extensions36 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    37. 37. Recommendation • Support specific partners/software • Choose a mature product or library • Hide OpenID from user –Use a NASCAR page37 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    38. 38. OAuth 1 and 238 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    39. 39. OAuth • Negotiate/Represent Authorization for Apps • Per-user –Delegation of user access –User participation in authorization policy39 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    40. 40. The Old Model*40 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    41. 41. The Old Model*41 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    42. 42. OAuth 1 • Created in 2007 • 2-legged –Server to Server • 3-legged –User authorization42 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    43. 43. OAuth 1 Flow • User selects to add/authorize third party • App sends user to third party site • User authenticates with site if needed, indicates what the app is authorized for • User is sent back to App with token43 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    44. 44. OAuth Benefits • App access is limited • App behaviors are auditable • User makes their own policy decisions • Users can revoke access to their data44 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    45. 45. OAuth 2 • Removes complex signature requirement –Must use SSL –Resource access is simple • Separate roles for resource protected, authorization service • Adds new flows for new native client use45 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    46. 46. OAuth 1 vs 2 • OAuth 1 is very pragmatic –Hits two use cases –Details them thoroughly with examples • OAuth 2 is broad, extensible –Pieces used to solve particular problem • Do not recommend OAuth 1 for new projects46 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    47. 47. OAuth vs Web SSO OAuth is for authorization, not authentication • Web SSO lets you know who the user is • OAuth is permission to act for the user • NOT a replacement for Web SSO47 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    48. 48. OAuth vs Web SSO • OAuth does not give you –User attributes –Confirmation (that the user is present) –Audience (this token was meant for you)48 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    49. 49. OpenID Connect49 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    50. 50. OpenID Connect • In-process specification building on top of OAuth 2 • Adds first-class identity information to protocol • Supports additional use cases –(hybrid client)50 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    51. 51. OpenID Connect • New “ID Token” • Normal Access token is for the resource, about the client application • ID token is meant to be understood by the client, about the user51 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    52. 52. OpenID Connect • Defines UserInfo service –To get user attributes in a standard manner • Has Simple discovery mechanism to authenticate by URL or email address • Defines dynamic client support52 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    53. 53. OpenID Connect OpenID Connect provides a single way to securely support both Web SSO, and API access by native clients.53 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    54. 54. Closing54 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    55. 55. Closing • Digital Identity is a broad topic representing the user authentication, attributes, and authorization policies for a domain • Applications should not be their own security domains –does not scale55 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    56. 56. Closing • Web SSO is a way to bridge the gap in security domains –SAML - Security Assertion Markup Language –OpenID56 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    57. 57. Closing • For native clients, the browser flow of Web SSO is not appropriate • SOAP services have WS-* –supports SAML tokens • REST services have OAuth –supports SAML tokens57 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    58. 58. Closing • Going forward, OpenID Connect bridges Web SSO and API access. • Supports authentication and authorization • Previous protocols will stay in use58 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    59. 59. Questions? http://www.flickr.com/photos/horiavarlan/4273168957/ • Ask me about: –WS-Federation –WS-Security/WS-Trust –SCIM –ID-FF/Shibboleth59 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    60. 60. Questions? • Visit www.pingidentity.com or www.pingone.com for more information • Email sales@pingidentity.com with questions Are you a SaaS company interested in getting started with PingOne for free? Contact us at sales@pingidentity.com to learn how!60 Copyright ©2012 Ping Identity Corporation. All rights reserved.

    ×