• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Identity soup
 

Identity soup

on

  • 543 views

When it comes to identity and access management (IAM) for your application, it's good to warm-up with a good cup of identity protocol soup. Key ingredients include SAML, OAuth, OpenID and OpenID ...

When it comes to identity and access management (IAM) for your application, it's good to warm-up with a good cup of identity protocol soup. Key ingredients include SAML, OAuth, OpenID and OpenID Connect. In this session, learn how developers create world-class private and public applications that are secure, mobile and can be easily provisioned -- all leveraging these standards-based protocols.

Statistics

Views

Total Views
543
Views on SlideShare
543
Embed Views
0

Actions

Likes
0
Downloads
24
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

Identity soup Identity soup Presentation Transcript

  • Warm Up to Identity Protocol Soup David Waite Principal Technical Architect1 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Topics •What is Digital Identity? •What are the different technologies? •How are they useful? •Where is this space going?2 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Digital Identity3 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Concepts • Authentication / Authenticity –Is this entity (person/machine) who they say4 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Concepts • Attributes / Identity Information –My name is David Waite –I work for Ping Identity –I’ve been in the Identity Space for 10 years –My email address is dwaite@pingidentity.com5 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Introductions • Ping Identity –Focused on Identity standards –Enterprise and Consumer-oriented solutions –On-site software (PingFederate) –Identity as a Service offerings (PingOne)6 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Concepts • Authorization –What are the rules on who can do what • Access Control –Enforces whether you can or can’t do something7 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Concepts • The bundle of credentials, identifiers and attributes makes up the traditional idea of an “Account” • The services which work by the same system of accounts and authorization make up a “Security Domain”8 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • SAML / In the Beginning9 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Simple App Application DB Login Content10 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Less Simple App Application Login Content DB Self- Password Registration Recovery11 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Uh-Oh Application Application Login Content Login Content DB Self- Self- Password Registration Registration Recovery12 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Reality (Simplified) Application Application Login Content Login Content Self- Self- Password Registration Registration Recovery DB Application Application DB DB Login Content Login Content Self- Password Self- Registration Recovery Registration13 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Supportability Issues • Multiple accounts • Different usernames and passwords • Varying support / recovery processes • Hard to change Authorization policy • Provisioning users is error-prone14 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Security Issues • Users may retain access to systems • Duplicated passwords and user info • Lack of auditing • Home-grown auth may be insecure • Difficult to switch to multi-factor15 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Architectural impact • Decomposing applications is hard • Difficult to mash up APIs –Data Silos • Code for authz policy changes • Rebuilding same components16 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Solution? • Identity and Access Management –Infrastructure shared by apps –Centralized resources and management • Examples: –Use LDAP for account attributes –Create groups representing authorizations rather than departments17 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Identity and Access Management • Single Authentication Mechanism –Transport: Client X.509, Kerberos –Domain cookie w/App Server Plugin –Authenticating Proxy in front of apps18 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Identity and Access Management • Central Authorization Policy • Set policy at HTTP resource level • Responsible for Access Control at resource level19 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Drawbacks • Time/TCO to retrofit existing apps • High cost of infrastructure upgrades • M&A often be a nightmare • There are no standards –huge amount of vendor lock-in.20 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Failings •Not always possible to support –COTS software –3rd Party / Hosted software21 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • SAML22 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • SAML • Security Assertion Markup Language • 1.0 in November 2002 • 2.0 in March 2005 “Securely Assert Identity Information”23 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • SAML Roles • “Identity Provider” (IDP) –provides identity information • “Service Provider” (SP) –consumes identity information –provides access to services24 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • SAML Pieces • Assertion –XML document –a signed and/or encrypted –containing identity information25 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • SAML Parts • Protocol - messages built on assertions • Binding - sending protocol over the wire • Profile - combination to accomplish some use case26 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • SAML Web SSO • Most popular profile is Web Browser Single Sign-On Profile • Use browser as a communication channel • Authenticates browser that delivers the message27 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • SAML Web SSO Bridges Accounts for the different Security Domains28 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • SAML Used by • Web Browser SSO Profile • WS-* (as token) • WS-Federation (as token) • OAuth 2 (as authentication mechanism)29 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • OpenID30 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • OpenID • Created by Brad Fitzpatrick in 2005 • Came out of blogging space –Don’t want to manage accounts just to let people comment on blog posts • Initially for Lower Assurance • Dynamically Managed relationships31 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • OpenID • Your “username” is a URL • Your login proves ownership • Your identity/persona is that URL32 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • OpenID - How it works • Relying Party –Similar role to SP, requests/relies on OpenID • OpenID Provider –Similar role to IDP, authenticates users33 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • OpenID - How it works 1.User enters OpenID or selects OP at Relying Party* 2.RP figures out appropriate OP 3.Sends browser to OP so the user can prove who they are 4.OP sends authenticated user back to RP34 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Advantages • User-Centric Identity –user maintains control –determines who sees what • Can run infrastructure without coordination35 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Disadvantages • Users do not understand URLs • Hidden complexity in implementing • Interoperability is poor • Many sites are non-compliant • Some sites require extensions36 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Recommendation • Support specific partners/software • Choose a mature product or library • Hide OpenID from user –Use a NASCAR page37 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • OAuth 1 and 238 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • OAuth • Negotiate/Represent Authorization for Apps • Per-user –Delegation of user access –User participation in authorization policy39 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • The Old Model*40 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • The Old Model*41 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • OAuth 1 • Created in 2007 • 2-legged –Server to Server • 3-legged –User authorization42 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • OAuth 1 Flow • User selects to add/authorize third party • App sends user to third party site • User authenticates with site if needed, indicates what the app is authorized for • User is sent back to App with token43 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • OAuth Benefits • App access is limited • App behaviors are auditable • User makes their own policy decisions • Users can revoke access to their data44 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • OAuth 2 • Removes complex signature requirement –Must use SSL –Resource access is simple • Separate roles for resource protected, authorization service • Adds new flows for new native client use45 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • OAuth 1 vs 2 • OAuth 1 is very pragmatic –Hits two use cases –Details them thoroughly with examples • OAuth 2 is broad, extensible –Pieces used to solve particular problem • Do not recommend OAuth 1 for new projects46 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • OAuth vs Web SSO OAuth is for authorization, not authentication • Web SSO lets you know who the user is • OAuth is permission to act for the user • NOT a replacement for Web SSO47 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • OAuth vs Web SSO • OAuth does not give you –User attributes –Confirmation (that the user is present) –Audience (this token was meant for you)48 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • OpenID Connect49 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • OpenID Connect • In-process specification building on top of OAuth 2 • Adds first-class identity information to protocol • Supports additional use cases –(hybrid client)50 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • OpenID Connect • New “ID Token” • Normal Access token is for the resource, about the client application • ID token is meant to be understood by the client, about the user51 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • OpenID Connect • Defines UserInfo service –To get user attributes in a standard manner • Has Simple discovery mechanism to authenticate by URL or email address • Defines dynamic client support52 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • OpenID Connect OpenID Connect provides a single way to securely support both Web SSO, and API access by native clients.53 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Closing54 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Closing • Digital Identity is a broad topic representing the user authentication, attributes, and authorization policies for a domain • Applications should not be their own security domains –does not scale55 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Closing • Web SSO is a way to bridge the gap in security domains –SAML - Security Assertion Markup Language –OpenID56 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Closing • For native clients, the browser flow of Web SSO is not appropriate • SOAP services have WS-* –supports SAML tokens • REST services have OAuth –supports SAML tokens57 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Closing • Going forward, OpenID Connect bridges Web SSO and API access. • Supports authentication and authorization • Previous protocols will stay in use58 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Questions? http://www.flickr.com/photos/horiavarlan/4273168957/ • Ask me about: –WS-Federation –WS-Security/WS-Trust –SCIM –ID-FF/Shibboleth59 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • Questions? • Visit www.pingidentity.com or www.pingone.com for more information • Email sales@pingidentity.com with questions Are you a SaaS company interested in getting started with PingOne for free? Contact us at sales@pingidentity.com to learn how!60 Copyright ©2012 Ping Identity Corporation. All rights reserved.