Mobile Cloud Identity


Published on

Join Mark Diodati for this engaging tour of things identity, from a mobile and cloud perspective.

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Mobile Cloud Identity

  1. 1. Mobile Cloud Identity Mark Diodati Technical Director—CTO Office @mark_diodati Thurs 13-12-05
  2. 2. Agenda • • • • • Cloud Identity Modern Identity’s Building Blocks OpenID Connect FIDO NFC
  3. 3. Mobile Cloud Identity CLOUD IDENTITY
  4. 4. On-Premises, Hybrid, Cloud on-premises cloud hybrid
  5. 5. Cloud Identity • Identity Management as a Service (IDaaS) – Externally hosted, turnkey SaaS applications that perform identity management • Users and applications may be on-premises or hosted – OPEX, flexible with changes in economies of scale • Identity bridge – On-premises component to connect on-premises and externally hosted environments – Supports multiple identity services
  6. 6. Cloud Orientation to from in
  7. 7. Hosted On-Premises Sync (API) Federation SSO To The Cloud (SSO + Provisioning) Identity bridge s ero b Ker Employee Dire ctor y SSO syn c Federation IdP Directory synchronization Active Directory
  8. 8. To The Cloud (Mobile Identity) MDM cloud service Private key Profile/policy Credential provisioning Group A App distro Externally Hosted On-Premises Group Microsoft Certificate Services Identity Bridge MDM Active Directory MMC
  9. 9. From The Cloud (SSO) Partner SAML, OAuth, Password, X.509 Hosted On-Premises OAuth relying party OAuth authorization service Federation SP Federation IDP OAuth resource server HTTP cookie uth OA Identity bridge WAM-protected application SAM L SAML-enabled application
  10. 10. From the Cloud (Provisioning) Provisioning IDaaS Externally Hosted ERP Reconciliation Active Directory Europe Identity bridge North America On-Premises Identity bridge Manufacturing Reconciliation Active Directory
  11. 11. In The Cloud (SSO + Provisioning) IDaaS Provisioning Provisioning Federation IdP Authentication Federated SSO User Hosted On-Premises
  12. 12. Mobile Cloud Identity MODERN BUILDING BLOCKS
  13. 13. Modern Building Blocks • REST (Representational State Transfer) – Adopted in response to the complexity of SOAP – Uses HTTP for its request/response – Objects are represented as URLs – Example HTTP verbs • GET: retrieve object attributes • POST: create object with new attributes • DELETE: delete object
  14. 14. Modern Building Blocks • JSON (JavaScript Object Notation) – Adopted in response to the complexity of XML – Data format representing name value pairs
  15. 15. Modern Building Blocks • Most modern identity standards leverage JSON over REST – Peanut butter and jelly – OAuth (authorization), SCIM (provisioning), FIDO (authentication), OpenID Connect (multi-protocol) • Some notable exceptions are SAML and XACML
  16. 16. Modern Building Blocks POST Authorization: Basic Y249RGlyZWN0b3J5IE1... Content-Type: application/json { "userType":"spy", "externalId":“tstark86753", REST HTTP verb (add user in "pacsSerial":"87654321", "active":true, SCIM) "otpSerial":"12345678", "email":“", "userName":"lcarroll", "givenName":“Tony", "familyName":“Stark“ }
  17. 17. Modern Building Blocks POST Authorization: Basic Y249RGlyZWN0b3J5IE1... Content-Type: application/json { "userType":"spy", "externalId":“tstark86753", "pacsSerial":"87654321", In REST, objects and "active":true, endpoints have "otpSerial":"12345678", "email":“", unique URLs "userName":"lcarroll", "givenName":“Tony", "familyName":“Stark“ }
  18. 18. Modern Building Blocks JSON data representation POST Authorization: Basic Y249RGlyZWN0b3J5IE1... Content-Type: application/json { "userType":“superhero", "externalId":"tstark86753", "pacsSerial":"87654321", "active":true, "otpSerial":"12345678", "email":"", "userName":"tstark", "givenName":"Tony", "familyName":"Stark" }
  19. 19. Modern Building Blocks POST Authorization: Basic Y249RGlyZWN0b3J5IE1... Content-Type: application/json { "userType":"spy", "externalId":"tstark86753", "pacsSerial":"87654321", "active":true, "otpSerial":"12345678", "email":"", "userName":"tstark", "givenName":"Tony", "familyName":"Stark" }
  20. 20. Mobile Cloud Identity OPENID CONNECT
  21. 21. OAuth • Increasingly popular protocol for session management in rich mobile applications • Mobile web applications function well with traditional enterprise authentication • Rich mobile applications may break existing infrastructure like authentication and Web access management
  22. 22. OAuth Components and Flow OAuth resource server OAuth authorization server OAuth client/relying party A Native application R A refresh token access token ded loa ion wn icat do ent ens + auth ok 6. T e code nc fere e 5. R 2. Us er au 3. the To ke n/ nr co efe ns en ren t ce ret urn co de rce ou es n n r atio t tio ca sen pli e ap pr n to ke ss to ce Ac ss 8. ce Ac 7. A 1. Browser instantiated 4. Code delivery Web browser
  23. 23. Why Not Just Use OAuth? • OAuth is: – Valuable as an access delegation protocol – A good fit for native mobile applications – Friendly for developers • OAuth is not: – A user identity protocol – An “identity at scale” protocol
  24. 24. OAuth resource server OpenID Connect Flow authorization server user information endpoint n s en atio k To form in er Us A AP IA cce ss A OAuth client/relying party ID R A ID token refresh token access token OpenID Provider
  25. 25. OIDC Multliple Provider Flow OpenID OpenID Provider #1 Provider OAuth resource server authorization server authorization server user information endpoint user information endpoint n ns kens ionatio t ke o a To1. Tormform f n r in er i e Us2. Us AP3. A A A I A PI cce Ac ss ces s A A OAuth OAuth client/relying party client/relying party ID ID R R A A access refresh access ID refresh token token token token token ID ID OpenID OpenID Provider #2 Provider 4. ID token 5. Access, Refresh tokens R R A A
  26. 26. OpenID Connect Protocols Protocol for clients that support additional security
  27. 27. OpenID Connect Protocols Protocol for simpler clients
  28. 28. OpenID Connect Protocols Optional discovery of OpenID providers
  29. 29. OpenID Connect Protocols Optional automated registration of clients (e.g., server applications, mobile devices)
  30. 30. OpenID Connect Under The Covers • OAuth 2.0 specifications • JSON Web Token (JWT) • JOSE – JSON Web Signature (JWS) – JSON Web Encryption (JWE) – JSON Web Algorithms (JWA) – JSON Web Key (JWK)
  31. 31. Mobile Cloud Identity FIDO
  32. 32. FIDO—A Tale of Two Protocols • FIDO Unified Authentication Framework (UAF) – Local mobile biometrics – Initially proposed by Lenovo, Nok Nok, PayPal, others – Also supports non-biometric authentication • Universal Second Factor (U2F) – “Smart” smart card • Initially proposed by Google and Yubikey (first to partner)
  33. 33. FIDO UAF (2) FIDO handshake FIDO Server F device attestation (3) Asymmetrci key authn web site/RP Binding of user info and public key ID Proofing (1) user authentication to FIDO client FIDO Client authenticator(s) F device key pair site-specific key pairs FIDO Attestation Service F
  34. 34. UAF to OpenID Connect Binding of user info and public key OpenID Provider (1) user authentication to FIDO client F A (5 )A PI re qu es t/ re sp on se (4) Token information (2) FIDO handshake FIDO client (3) asymmetric key authn F FIDO authentication module A mobile application (relying party) ID A tokens R
  35. 35. User info, public key and Key Handle ord auth ser passw (1) u site authn service activation button (activation required during enrollment and optional at runtime) U2F authn service device attestation (2) Challenge response, with Key Han dle web site/RP FIDO U2F site-specific key pairs (with Key Handles) device key pair (per batch) attestation service
  36. 36. U2F to Federation User info, public key and Key Handle Federation IDP U2F authn service Federation SP (2) Challe nge respo nse, with Key Handle (3) SAM L cr ede ntia ls (1) user password auth primary authn service (4) L AM S als nti de cre
  37. 37. SCEP Certificate Enrollment iPhone Configuration Utility Certificate authority Profile service SCEP.mobileconfig CE ex ec ut es S iO S (4) ticates (3) Profile is downloaded n (2) User authe User Pe nr oll me nt (1) Utility publishes enrollment profile ) (5 te ca fi rti Ce in is ed all st in S iO re to s
  38. 38. SCEP Enrollment Vulnerability Certificate authority Profile service (1) Can I have a SCEP secret? e. cat tifi cer 9”. r a 7530 l fo rol “86 en et is r rk, Sta sec n y CE P S To (3 ) Y o u r SCEP.mobileconfig ( M 4) M yS y CE n a Ps m ec e is re “N ti Yo s “ ick ur 86 Fu ce (5) 75 ry rti fic Here 30 ”. ate y 9” . na ou g me o! is N ick Fu ry. (2) Sure! Your SCEP secret is “8675309”. Certificate Private Key
  39. 39. Enhanced Enrollment MDM service Certificate authority (1) Here is public key for user Tony Stark (2) Sure! Here is the certificate (3) He re an is y d p ou riv r c ate ert ke ifica y! te Private key Certificate
  40. 40. MDM - Email Proxy Private key Certificate MDM Identity Bridge Exchange Server S4U Kerberos impersonation X.509 authentication Kerberos tickets Active Directory
  41. 41. Mobile Cloud Identity NFC
  42. 42. NFC on Mobile Device Antenna NFC controller Secure element NFC system
  43. 43. NFC for Converged Authentication Building access NFC IT access
  44. 44. NFC for Tablet Authentication Smartphone Web application Private key SSL Certificate NFC Tablet Contactless smart card
  45. 45. NFC Provisioning PKI Certificate Mobile Credential Management Service (MCM) PACS Credential A A Application Application Externally Hosted On-Premises Identity Bridge Certificate Authority PACS Host Active Directory
  46. 46. Mobile Credential Management Service Trusted Service Manager MDM Mobile Credential Management Service (MCM) Mobile Network Operators NFC Secure Element A
  47. 47. NFC Authorization Authorization Policy PKI Authentication Policy Delivery PKI Certificate
  48. 48. 48 Copy right ©2013 Ping Identity Corporation. All rights reserv ed.