Your SlideShare is downloading. ×
Five Things You Gotta Know About Modern Identity
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Five Things You Gotta Know About Modern Identity

2,405
views

Published on

Modern identity supports the new world built on device-independent, location-anywhere access. New-school provisioning and authentication are requiremed. Its protocols are increasingly built upon …

Modern identity supports the new world built on device-independent, location-anywhere access. New-school provisioning and authentication are requiremed. Its protocols are increasingly built upon frameworks like REST and JSON; examples include SCIM, OAuth OpenID Connect and FIDO. Modern identity leverages IDaaS and identity bridges to manage users and applications across the hybrid cloud.

Published in: Technology, Business

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,405
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
37
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Five Things You Gotta Know About Modern Identity Mark Diodati Technical Director—CTO Office @mark_diodati mdiodati@pingidentity.com Tues 13-10-15
  • 2. Agenda • • • • • Cloud Identity Modern Identity’s Building Blocks Provisioning and SCIM OpenID Connect FIDO
  • 3. Digging Into Identity CLOUD IDENTITY
  • 4. On-Premises, Hybrid, Cloud on-premises cloud hybrid
  • 5. Cloud Identity • Identity Management as a Service (IDaaS) – Externally hosted, turnkey SaaS applications that perform identity management • Users and applications may be on-premises or hosted – OPEX, flexible with changes in economies of scale • Identity bridge – On-premises component to connect on-premises and externally hosted environments – Supports multiple identity services
  • 6. Cloud Orientation to from in
  • 7. Hosted On-Premises Sync (API) Federation SSO To The Cloud (SSO + Provisioning) Identity bridge s ero b Ker Employee Dire ctor y SSO syn c Federation IdP Directory synchronization Active Directory
  • 8. To The Cloud (Mobile Identity) MDM cloud service Private key Profile/policy Credential provisioning Group A App distro Externally Hosted On-Premises Group Microsoft Certificate Services Identity Bridge MDM Active Directory MMC
  • 9. From The Cloud (SSO) Partner SAML, OAuth, Password, X.509 Hosted On-Premises OAuth relying party OAuth authorization service Federation SP Federation IDP OAuth resource server HTTP cookie uth OA Identity bridge WAM-protected application SAM L SAML-enabled application
  • 10. From the Cloud (Provisioning) Provisioning IDaaS Externally Hosted ERP Reconciliation Active Directory Europe Identity bridge North America On-Premises Identity bridge Manufacturing Reconciliation Active Directory
  • 11. In The Cloud (SSO + Provisioning) IDaaS Provisioning Provisioning Federation IdP Authentication Federated SSO User Hosted On-Premises
  • 12. Digging Into Identity MODERN BUILDING BLOCKS
  • 13. Modern Building Blocks • REST (Representational State Transfer) – Adopted in response to the complexity of SOAP – Uses HTTP for its request/response – Objects are represented as URLs – Example HTTP verbs • GET: retrieve object attributes • POST: create object with new attributes • DELETE: delete object
  • 14. Modern Building Blocks • JSON (JavaScript Object Notation) – Adopted in response to the complexity of XML – Data format representing name value pairs
  • 15. Modern Building Blocks • Most modern identity standards leverage JSON over REST – Peanut butter and jelly – OAuth (authorization), SCIM (provisioning), FIDO (authentication), OpenID Connect (multi-protocol) • Some notable exceptions are SAML and XACML
  • 16. Modern Building Blocks POST https://pingidentity.com:8443/Users Authorization: Basic Y249RGlyZWN0b3J5IE1... Content-Type: application/json { "userType":"spy", "externalId":“tstark86753", REST HTTP verb (add user in "pacsSerial":"87654321", "active":true, SCIM) "otpSerial":"12345678", "email":“tony.stark@pingidentity.com", "userName":"lcarroll", "givenName":“Tony", "familyName":“Stark“ }
  • 17. Modern Building Blocks POST https://pingidentity.com:8443/Users Authorization: Basic Y249RGlyZWN0b3J5IE1... Content-Type: application/json { "userType":"spy", "externalId":“tstark86753", "pacsSerial":"87654321", In REST, objects and "active":true, endpoints have "otpSerial":"12345678", "email":“tony.stark@pingidentity.com", unique URLs "userName":"lcarroll", "givenName":“Tony", "familyName":“Stark“ }
  • 18. Modern Building Blocks JSON data representation POST https://pingidentity.com:8443/Users Authorization: Basic Y249RGlyZWN0b3J5IE1... Content-Type: application/json { "userType":“superhero", "externalId":"tstark86753", "pacsSerial":"87654321", "active":true, "otpSerial":"12345678", "email":"tony.stark@pingidentity.com", "userName":"tstark", "givenName":"Tony", "familyName":"Stark" }
  • 19. Modern Building Blocks POST https://pingidentity.com:8443/Users Authorization: Basic Y249RGlyZWN0b3J5IE1... Content-Type: application/json { "userType":"spy", "externalId":"tstark86753", "pacsSerial":"87654321", "active":true, "otpSerial":"12345678", "email":"tony.stark@pingidentity.com", "userName":"tstark", "givenName":"Tony", "familyName":"Stark" }
  • 20. Digging Into Identity PROVISIONING
  • 21. Provisioning: Definition • Addition, deletion and modification of users – Typically across heterogeneous applications • Workflow – From simple to complex • User self-service • Initiated via a feed from an external system (e.g., HR) • Primary user constituency is the employee and (increasingly) partners and contractors
  • 22. Provisioning: Why Care? • User access requires provisioning – Access are not possible without an identity in the target application – SaaS applications require identity siloes, due to service level and security concerns • Results of poor provisioning – Decreased productivity – Excessive access: compliance violations, data User breaches, unauthorized transactions Provisioning
  • 23. Anatomy of a Provisioning Service • Protocols – Examples include REST, SOAP, LDAP, applicationspecific APIs, CSV, FTP • Schemas – In order: user, group, entitlement, manager, extensible objects – Attribute data model (e.g., multi-valued, compound) is irregular across different identity stores User Provisioning
  • 24. Provisioning Standards: Why Care? • Identity at scale • Many protocols and multiple user constituencies means that provisioning are difficult to manage • Proprietary provisioning connections are fragile • Application revisions require analysis and potential rewrite of the consumer (e.g., provisioning system) User Provisioning Standards-Based Provisioning
  • 25. The Case For SCIM • SCIM is our last best hope at standards-based provisioning • Support by application vendors will be necessary – Participation by Cisco, Microsoft, Google, Ping Identity, and Salesforce hints at broad industry support • Optional standard user schema • As of October 2013, most of the v2 features are defined – v2 is not compatible with v1.1
  • 26. SCIM Components SaaS application (SCIM service provider) Externally Hosted Create user (HTTP POST) On-Premises Identity system (SCIM consumer)
  • 27. SCIM + Federated SSO SS SS Ke rb er os Partner Two O Partner One Authorization query O Federated SSO SCIM SCIM provider Federation SP s ry c yn Active Directory SCIM consumer Federation IDP o ct re Di y tor c ire D c yn s Active Directory
  • 28. Digging Into Identity OPENID CONNECT
  • 29. Why Not Just Use OAuth? • OAuth is: – Valuable as an access delegation protocol – A good fit for native mobile applications – Friendly for developers • OAuth is not: – A user identity protocol – An “identity at scale” protocol
  • 30. OAuth Components and Flow OAuth resource server OAuth authorization server OAuth client/relying party A Native application R A refresh token access token ded loa ion wn icat do ent ens + auth ok 6. T e code nc fere e 5. R 2. Us er au 3. the To ke n/ nr co efe ns en ren t ce ret urn co de rce ou es n n r atio t tio ca sen pli e ap pr n to ke ss to ce Ac ss 8. ce Ac 7. A 1. Browser instantiated 4. Code delivery Web browser
  • 31. OAuth resource server OpenID Connect Flow authorization server user information endpoint n s en atio k To form in er Us A AP IA cce ss A OAuth client/relying party ID R A ID token refresh token access token OpenID Provider
  • 32. OIDC Flow Redux OAuth resource server OpenID OpenID Provider Provider #1 authorization server authorization server user information endpoint user information endpoint s oi n nens atiatno kek r ToTo form m fo in in es r sUr e U AA APAP I AI Ac ccece ss ss A A OAuth OAuth client/relying party client/relying party IDID RR IDID AA access refresh access ID refresh token token token token token RR AA OpenID OpenID Provider Provider #2
  • 33. OpenID Connect Protocols Optional discovery of OpenID providers
  • 34. OpenID Connect Protocols Optional automated registration of clients (e.g., server applications, mobile devices)
  • 35. OpenID Connect Under The Covers • OAuth 2.0 specifications • JSON Web Token (JWT) • JOSE – JSON Web Signature (JWS) – JSON Web Encryption (JWE) – JSON Web Algorithms (JWA) – JSON Web Key (JWK)
  • 36. Digging Into Identity FIDO
  • 37. FIDO—A Tale of Two Protocols • FIDO Unified Authentication Framework (UAF) – Local mobile biometrics – Initially proposed by Lenovo, Nok Nok, PayPal, others – Also supports non-biometric authentication • Universal Second Factor (U2F) – “Smart” smart card • Initially proposed by Google and Yubikey (first to partner)
  • 38. FIDO UAF (2) FIDO handshake FIDO Server F device attestation (3) Asymmetrci key authn web site/RP Binding of user info and public key ID Proofing (1) user authentication to FIDO client FIDO Client authenticator(s) F device key pair site-specific key pairs FIDO Attestation Service F
  • 39. UAF to OpenID Connect Binding of user info and public key OpenID Provider (1) user authentication to FIDO client F A (5 )A PI re qu es t/ re sp on se (4) Token information (2) FIDO handshake FIDO client (3) asymmetric key authn F FIDO authentication module A mobile application (relying party) ID A tokens R
  • 40. User info, public key and Key Handle ord auth ser passw (1) u site authn service activation button (activation required during enrollment and optional at runtime) U2F authn service device attestation (2) Challenge response, with Key Han dle web site/RP FIDO U2F site-specific key pairs (with Key Handles) device key pair (per batch) attestation service
  • 41. U2F to Federation User info, public key and Key Handle Federation IDP U2F authn service Federation SP (2) Challe nge respo nse, with Key Handle (3) SAM L cr ede ntia ls (1) user password auth primary authn service (4) L AM S als nti de cre
  • 42. 42 Copy right ©2013 Ping Identity Corporation. All rights reserv ed.

×