Access Management for Cloud and Mobile
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Access Management for Cloud and Mobile

on

  • 1,262 views

Presented by Bert Van Beeck, Technical Enablement Lead, ForgeRock at ForgeRock Open Identity Stack Summit, France 2013

Presented by Bert Van Beeck, Technical Enablement Lead, ForgeRock at ForgeRock Open Identity Stack Summit, France 2013

Statistics

Views

Total Views
1,262
Views on SlideShare
903
Embed Views
359

Actions

Likes
1
Downloads
33
Comments
0

2 Embeds 359

http://www.scoop.it 341
http://dfcaixeta.tumblr.com 18

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Access Management for Cloud and Mobile Presentation Transcript

  • 1. 2013 Open Stack Identity Summit - France Access Management for Cloud and Mobile
  • 2. Single Sign On web gateway Session Lifecycle Management Web Application Fat Client Application Stateful Session SP IDP Stateless Session Session Store (Memory or Persisted) with option to enable Session Failover/replication Create, Leverage & Upgrade Session Authentication Federation Leverage session Authorization Attributes
  • 3. The Good, The Bad and The Ugly “You see, in this world there's two kinds of APIs, my friend: Those that are lightweight and those that make you dig”
  • 4. On-Premise vs Cloud/Social/Mobile SOAP XML REST JSON
  • 5. OAuth2, OpenID Connect, REST Mobile Social Cloud Enterprise Things HTTP(s) JSON REST Endpoints AuthN AuthZ Session Validation Identity Management Realm Mgmt OpenAM Core OAuth2 OpenID Connect Logging
  • 6. Mobile IAM for the Modern Web Web App Web App Login App OAuth2 Native App REST Native App OpenID Connect OpenAM Authentication Authorization Attribute Delivery Cloud Federation SSO Token Persistence Session Mgmt OAuth2 Provider Enterprise
  • 7. “You see, in this world there's two kinds of APIs, my friend: Those that are lightweight and those that make you dig” Demo
  • 8. 2 Native apps in iPhone OAuth2 Demo •  Obtains an OAuth2 Refresh and Access Token using the Authorization Code Grant and then stores it locally in the iPhone keyring •  Access User Profile info with the Access Token •  Refreshes the Access Token when it expires using the refresh token SSO Demo •  Retrieves the Access Token from the iPhone keyring •  Access User Profile info with the Access Token
  • 9. OAuth2 •  Authorization protocol •  Grant access to third parties •  Parties do not share sensitive user information, i.e. no credentials are shared •  Used to grant limited access during limited time to specific resources •  Developed by the IETF Working group
  • 10. Who is using OAuth2
  • 11. OAuth2 Tokens ACCESS Token •  Used to access a protected resource •  Obtained through one of the grant flow •  Life time short (minutes, hours REFRESH Token •  Used to obtain a new access token •  Obtained through one of the grant flows •  Life time long (days, weeks, months)
  • 12. Possible flow Protected Resource leveraging access token 1 7 2 3 Client retrieve refresh token 4 5 retrieve access token 6 Provider
  • 13. Resource Owner Password Flow 2 application provides userid/password credentials Provider retrieve access token Client 3 1 << 4 leveraging access token Protected Resource
  • 14. Supported grants Use Case: For Web Applications §  Authorization Code Flow Grant §  Implicit Flow Grant Use Case: For Mobile Applications §  Resource Owner Password Use Case: For Application to Application §  Client Credentials Flow §  SAMLv2 Token Insertion Presenter’s Logo Here Use Case : Implicit flow Grant
  • 15. Cheat sheet http://www.cheatography.com/kayalshri/cheatsheets/oauth-end-points/
  • 16. What is it not •  OpenID Connect is not OpenID •  OpenID is old social protocol, without a mandatory contract between client and provider •  OpenID is unsecure
  • 17. What is OAUTH2 again ? •  OAuth2 is an AUTHORIZATION protocol •  Access/Refresh token represents access to resource for anybody who has that token •  There is not system in place to restrict resource usage to a user identity
  • 18. OpenID Connect •  OpenID Connect uses TWO access/refresh tokens •  One to authorize the resource (see OAUTH2 before) •  One to authorize the user identity accessing that resource Protected Resource OAUTH2 Access Token User identity OAUTH2 Access Token •  OpenID Connect maintains the relationship between the resource and the user •  User can only access the resource with its access token provided the user access token is entitled to it
  • 19. 2013 Open Stack Identity Summit - France Coming from a different angle
  • 20. OpenAM Authentication •  MSISDN •  HOTP (Text Messages via cell phone) •  OATH (3rd party Token generators)
  • 21. Banking grade authentication Thomas Bostrøm Jørgensen - CEO, Encap