JaveOne 2010 - Distributed Identity Architecture


Published on

Identity, authentication, and authorization are the glues for modern distributed applications. They affect security, availability, and usability directly and are often a significant barrier to adoption of distributed paradigms such as SOA and cloud. Performing these tasks in monolithic and coupled systems is fairly well understood, but distributed environments of applications and services with heterogynous security profiles often present different challenges. In this session, we'll present architectural models, deployment techniques, and policy management ideas that represent the top 10 most important lessons we learned from implementing IAF: a large-scale, distributed authentication scheme for eBay marketplaces, PayPal, and eBay Mobile.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

JaveOne 2010 - Distributed Identity Architecture

  1. 1. Cloud Identity Architecture<br />FarhangKassaei<br />Lead Platform Architect, eBay Inc.<br />
  2. 2. My Profile <br />Software guy <br />build large scale systems<br />Complex, Consequential that must evolve gracefully <br />Not “security” guy<br />Not encryption guru<br />Do not use Nmap, Snort, Wireshark… (sometimes Tcpdump) <br />Believe that majority of security issues are software architecture flaws with security consequences.<br />
  3. 3. Your Profile <br />Planning to build a Cloud<br />Planning to build an application for Cloud<br />Building products for your own company or for sale?<br />Familiar with SAML, OAuth, OpenID, Federated Identity <br />Primary function?<br />Size of your Company?<br />
  4. 4. This presentation is interesting if you are <br />Platform Architect building a large cloud to host internal or external applications.<br />Application Engineers building applications to be deployed in a cloud.<br />Security architects/engineers responsible to authentication and authorization polices and implementation.<br />Anyone who is curious to see an example of large scale identity system in action (eBay Marketplaces).<br />
  5. 5. The [De facto] Cloud Model<br />Software/Application (SAAS)<br />Software/Application<br />(SAAS)<br />Services<br />Platform<br />(PAAS)<br />Platform <br />(PAAS)<br />Infrastructure<br />(IAAS) <br />Infrastructure <br />(IAAS) <br />
  6. 6. The Security Boundaries <br />Authentication<br />Software/Application<br />SAAS<br />Authentication<br />Services/AP<br />Platform<br />PAAS<br />Infrastructure <br />IAAS<br />
  7. 7. What Do We Mean by Distributed Identity?<br />Fully Federated<br />Federated Service Providers<br />Other Domain<br />Location of Services used by an application<br />Federated Users<br />Monolithic Identity Architecture<br />Same Domain<br />Internal IDP<br />External IDP<br />Where dousers of an application come from<br />
  8. 8. What Do We Mean by Distributed Identity?<br />Resource/<br />Services<br />Resource/<br />Services<br />App<br />App<br />
  9. 9. An Example: eBay Application Platform (AP)<br />A Platform for building and operating distributed applications. <br />Uses an internal cloud as application operation environment.<br />Runs most of what you see on eBay.com<br />Consists of a portfolio of services and a standard application container (Java)<br />
  10. 10. An Example: eBay Application Platform<br />Identity<br />3P Application<br />eBay Motors<br />Fashion Shop<br />Java Container <br />Identity<br />Services<br />Tracking<br />Billing<br />Storage<br />Payment<br />Messaging<br />Search<br />Cart<br />Checkout<br />Similarity<br />Preferences<br />Tax<br />
  11. 11. Application Platform had to support<br />Manage identity of apps, services, all end user.<br />Support direct authN as well as delegated and delegating authZ cases. (more on this in a bit)<br />Manage and enforce policies for groups of resources with heterogynous security policies<br />Plus Federated SSO, Impersonation, Integrating acquisitions, mobile authentication etc.<br />The rest is what we learned doing this…<br />
  12. 12. Don’t we have SAML, OAuth, OpenID … for this?<br />3M - Management, Monitoring, Measuring <br />Service Provider/RP<br />Message Bus<br />STS<br />Directory<br />Service<br />Guard<br />Provisioning<br />Distribution<br />Consumer<br />
  13. 13. …And thisis what it looks like at eBay<br />3M – Management, Monitoring, Measurement <br />Local Account<br />SP/<br />RP<br />SP/<br />RP<br />PKI<br />Directory<br />Service<br />Mgmt.<br />Tools<br />Policy <br />Service<br />AuthZ<br />Account<br />Linking<br />AuthN<br />P<br />A<br />M<br />STS<br />Risk<br />Entity Resolution<br />Privilege <br />[Granting]<br />Authority<br />Consumer<br />Secure<br />Storage<br />Receptors<br />Verification &<br />Assurances<br />Reg.<br />Primary<br />Authenticators<br />(Federated)<br />
  14. 14. Ten Best Practices<br />Before you start <br />
  15. 15. Establish Reference Model<br />SP/RP<br />STS<br />G<br />Consumer<br />
  16. 16. Establish Reference Model<br />SP/RP<br />STS<br />IDP<br />STS<br />G<br />Consumer<br />
  17. 17. Establish Reference Model<br />3M (Manage, Measure, Monitor)<br />SP/RP<br />STS<br />IDP<br />STS<br />G<br />Consumer<br />
  18. 18. Establish Reference Model<br />3M (Manage, Measure, Monitor)<br />SP/RP<br />STS<br />IDP<br />STS<br />G<br />Consumer<br />
  19. 19. Establish Reference Model<br />3M (Manage, Measure, Monitor)<br />SP/RP<br />IDP<br />STS<br />G<br />Consumer<br />IDP<br />STS<br />G<br />AuthN<br />
  20. 20. 3M<br />SP/RP<br />IDP<br />STS<br />Isolate RP from Identity Source<br />Consumer<br />Consumer<br />Application deployed in cloud should not make any assumptions about:<br />Source of identity<br />Authentication mechanisms <br />Applications operate based on a well known Identity context and policy expression framework. <br />Application should maintain a local account and platform should provide an Account Linking/Mapping service.<br />
  21. 21. 3M<br />SP/RP<br />IDP<br />STS<br />Primary Authentication vs. Token Authentication<br />Consumer<br />Consumer<br />Primary credential should never be submitted to SP/RP.<br />Primary credential couples RP/SP to IDP implementation and authentication mechanisms detail.<br />More than likely leads to RP issued tokens and token type proliferations.<br />Primary credential should only be exchanged with a STS issued token.<br />
  22. 22. 3M<br />SP/RP<br />IDP<br />STS<br />Direct vs. Delegated Authentication<br />Consumer<br />Consumer<br />Direct: Authenticating to access a resource on you own behalf.<br />Delegated: Systems to allow 3P application to obtain a token and call services on behalf of your users.<br />Delegating: System that is the custodian of tokens received from 3P resources to allow YOUR application to make call to on behalf of 3P users.<br />
  23. 23. Direct, Delegated and Delegating <br />Resource/<br />Services<br />Resource/<br />Services<br />Resource/<br />Services<br />Delegating<br />Delegated To<br />Direct<br />App<br />App<br />App<br />
  24. 24. 3M<br />SP/RP<br />IDP<br />STS<br />Think Protocol, Token, Binding, Policy<br />Consumer<br />Consumer<br />The communication foundation of architectural components<br />Tokens: How assertions and claims are encoded <br />Protocols: How Tokens are requested, validated, exchanged, renewed and de-referenced<br />Binding: How protocol is carried over a lower level transport such as HTTP or SOAP.<br />Policy: How policies are expressed, enforced and managed.<br />
  25. 25. 3M<br />SP/RP<br />IDP<br />STS<br />Use/Design the Right STS<br />Consumer<br />Consumer<br /><ul><li>Primary Authentication with Multi-IDP/Identity directory
  26. 26. Multiple Encoding
  27. 27. Multi-Mode
  28. 28. Policy Driven
  29. 29. Pluggable Attribute Provider
  30. 30. Federation and token exchange
  31. 31. We use an internal STS called IAF</li></li></ul><li>3M<br />SP/RP<br />IDP<br />STS<br />Use Standard Guards<br />Consumer<br />Consumer<br /><ul><li> Validate and process tokens
  32. 32. Transform tokens to a canonical form useable by RP
  33. 33. POE of all policies
  34. 34. Implemented as ESB handler or in process Java handlers</li></li></ul><li>3M<br />SP/RP<br />IDP<br />STS<br />Establish Security Domains & Separate Logical and Physical<br />Consumer<br />Consumer<br />Policy<br />1<br />1<br />N<br />STS<br />Security Domain<br />SP<br />0..N<br />IDP<br />
  35. 35. Security Domains Illustrated<br />I<br />
  36. 36. 3M<br />SP/RP<br />IDP<br />STS<br />Establish Security Domains & Separate Logical and Physical<br />Consumer<br />Consumer<br /><ul><li> Sec Domain: A group of SPs that are governed by the same policies
  37. 37. Policies: Protection Tokens, Session, Native IDPs, Transport Security
  38. 38. Security Domain is a security boundary
  39. 39. A STS to mint the tokens for the domain
  40. 40. Security Domain meta data provider </li></li></ul><li>3M<br />SP/RP<br />IDP<br />STS<br />Think Federation not Centralization<br />Consumer<br />Consumer<br /><ul><li> Which SPs can be accessed with the same token?
  41. 41. Can a user logs into eBay if she is logged into PayPal?
  42. 42. Can an eBay seller use Google Calendar directly from eBay?
  43. 43. Can StubHub check out application call eBay Tax Service?
  44. 44. Can Half.com use eBay Shopping Cart service Tax Service?</li></li></ul><li>Federation of Security Domains<br />I<br />
  45. 45. 3M<br />SP/RP<br />Design with 3M in mind<br />IDP<br />STS<br />Consumer<br />Consumer<br /><ul><li> Design in a way that someone else can manage the system.
  46. 46. How many security domains are there?
  47. 47. What are the protection token policies of each?
  48. 48. What are the roles in each security domain?
  49. 49. Where and what are the federation agreements ?
  50. 50. How are roles mapped among domains?
  51. 51. How do I rotate keys for a domain?
  52. 52. How many tokens issued, revoked, renewed, used? </li></li></ul><li>If you forget everything, remember this…<br />Platform Designers<br /><ul><li>Identity Architecture is the first thing you should put in place (right after your business model)
  53. 53. Architecture at least should include IDP, STS, Guard and 3M
  54. 54. Manage Tokens like an enterprise asset.
  55. 55. Any retrofit or redesign is deceptively costly and risky </li></ul>Application Designers <br />Design with the assumptions that <br />- No control over the source of identity <br /><ul><li> No control over the format of token
  56. 56. No direct access to where identity attributes are stored
  57. 57. A standard identity context and identity context provider</li></li></ul><li>Questions?<br />Thank you.<br />
  58. 58. Backup Slides<br />
  59. 59. IAF (eBay STS) Service Interface <br />SOA Admin.<br />IAF Authentication<br />Direct Authentication<br />Delegated Authentication<br />Federations<br />Guard Utility<br />