Access Management for Cloud and Mobile

1,608 views
1,345 views

Published on

Presented by Bert Van Beeck, Technical Enablement Lead, ForgeRock at ForgeRock Open Identity Stack Summit, France 2013

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,608
On SlideShare
0
From Embeds
0
Number of Embeds
388
Actions
Shares
0
Downloads
49
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Access Management for Cloud and Mobile

  1. 1. 2013 Open Stack Identity Summit - France Access Management for Cloud and Mobile
  2. 2. Single Sign On web gateway Session Lifecycle Management Web Application Fat Client Application Stateful Session SP IDP Stateless Session Session Store (Memory or Persisted) with option to enable Session Failover/replication Create, Leverage & Upgrade Session Authentication Federation Leverage session Authorization Attributes
  3. 3. The Good, The Bad and The Ugly “You see, in this world there's two kinds of APIs, my friend: Those that are lightweight and those that make you dig”
  4. 4. On-Premise vs Cloud/Social/Mobile SOAP XML REST JSON
  5. 5. OAuth2, OpenID Connect, REST Mobile Social Cloud Enterprise Things HTTP(s) JSON REST Endpoints AuthN AuthZ Session Validation Identity Management Realm Mgmt OpenAM Core OAuth2 OpenID Connect Logging
  6. 6. Mobile IAM for the Modern Web Web App Web App Login App OAuth2 Native App REST Native App OpenID Connect OpenAM Authentication Authorization Attribute Delivery Cloud Federation SSO Token Persistence Session Mgmt OAuth2 Provider Enterprise
  7. 7. “You see, in this world there's two kinds of APIs, my friend: Those that are lightweight and those that make you dig” Demo
  8. 8. 2 Native apps in iPhone OAuth2 Demo •  Obtains an OAuth2 Refresh and Access Token using the Authorization Code Grant and then stores it locally in the iPhone keyring •  Access User Profile info with the Access Token •  Refreshes the Access Token when it expires using the refresh token SSO Demo •  Retrieves the Access Token from the iPhone keyring •  Access User Profile info with the Access Token
  9. 9. OAuth2 •  Authorization protocol •  Grant access to third parties •  Parties do not share sensitive user information, i.e. no credentials are shared •  Used to grant limited access during limited time to specific resources •  Developed by the IETF Working group
  10. 10. Who is using OAuth2
  11. 11. OAuth2 Tokens ACCESS Token •  Used to access a protected resource •  Obtained through one of the grant flow •  Life time short (minutes, hours REFRESH Token •  Used to obtain a new access token •  Obtained through one of the grant flows •  Life time long (days, weeks, months)
  12. 12. Possible flow Protected Resource leveraging access token 1 7 2 3 Client retrieve refresh token 4 5 retrieve access token 6 Provider
  13. 13. Resource Owner Password Flow 2 application provides userid/password credentials Provider retrieve access token Client 3 1 << 4 leveraging access token Protected Resource
  14. 14. Supported grants Use Case: For Web Applications §  Authorization Code Flow Grant §  Implicit Flow Grant Use Case: For Mobile Applications §  Resource Owner Password Use Case: For Application to Application §  Client Credentials Flow §  SAMLv2 Token Insertion Presenter’s Logo Here Use Case : Implicit flow Grant
  15. 15. Cheat sheet http://www.cheatography.com/kayalshri/cheatsheets/oauth-end-points/
  16. 16. What is it not •  OpenID Connect is not OpenID •  OpenID is old social protocol, without a mandatory contract between client and provider •  OpenID is unsecure
  17. 17. What is OAUTH2 again ? •  OAuth2 is an AUTHORIZATION protocol •  Access/Refresh token represents access to resource for anybody who has that token •  There is not system in place to restrict resource usage to a user identity
  18. 18. OpenID Connect •  OpenID Connect uses TWO access/refresh tokens •  One to authorize the resource (see OAUTH2 before) •  One to authorize the user identity accessing that resource Protected Resource OAUTH2 Access Token User identity OAUTH2 Access Token •  OpenID Connect maintains the relationship between the resource and the user •  User can only access the resource with its access token provided the user access token is entitled to it
  19. 19. 2013 Open Stack Identity Summit - France Coming from a different angle
  20. 20. OpenAM Authentication •  MSISDN •  HOTP (Text Messages via cell phone) •  OATH (3rd party Token generators)
  21. 21. Banking grade authentication Thomas Bostrøm Jørgensen - CEO, Encap

×