Your SlideShare is downloading. ×
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
JaveOne 2010 - Distributed Identity Architecture
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

JaveOne 2010 - Distributed Identity Architecture

1,481

Published on

Identity, authentication, and authorization are the glues for modern distributed applications. They affect security, availability, and usability directly and are often a significant barrier to …

Identity, authentication, and authorization are the glues for modern distributed applications. They affect security, availability, and usability directly and are often a significant barrier to adoption of distributed paradigms such as SOA and cloud. Performing these tasks in monolithic and coupled systems is fairly well understood, but distributed environments of applications and services with heterogynous security profiles often present different challenges. In this session, we'll present architectural models, deployment techniques, and policy management ideas that represent the top 10 most important lessons we learned from implementing IAF: a large-scale, distributed authentication scheme for eBay marketplaces, PayPal, and eBay Mobile.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,481
On Slideshare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
63
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Cloud Identity Architecture
    FarhangKassaei
    Lead Platform Architect, eBay Inc.
  • 2. My Profile
    Software guy
    build large scale systems
    Complex, Consequential that must evolve gracefully
    Not “security” guy
    Not encryption guru
    Do not use Nmap, Snort, Wireshark… (sometimes Tcpdump)
    Believe that majority of security issues are software architecture flaws with security consequences.
  • 3. Your Profile
    Planning to build a Cloud
    Planning to build an application for Cloud
    Building products for your own company or for sale?
    Familiar with SAML, OAuth, OpenID, Federated Identity
    Primary function?
    Size of your Company?
  • 4. This presentation is interesting if you are
    Platform Architect building a large cloud to host internal or external applications.
    Application Engineers building applications to be deployed in a cloud.
    Security architects/engineers responsible to authentication and authorization polices and implementation.
    Anyone who is curious to see an example of large scale identity system in action (eBay Marketplaces).
  • 5. The [De facto] Cloud Model
    Software/Application (SAAS)
    Software/Application
    (SAAS)
    Services
    Platform
    (PAAS)
    Platform
    (PAAS)
    Infrastructure
    (IAAS)
    Infrastructure
    (IAAS)
  • 6. The Security Boundaries
    Authentication
    Software/Application
    SAAS
    Authentication
    Services/AP
    Platform
    PAAS
    Infrastructure
    IAAS
  • 7. What Do We Mean by Distributed Identity?
    Fully Federated
    Federated Service Providers
    Other Domain
    Location of Services used by an application
    Federated Users
    Monolithic Identity Architecture
    Same Domain
    Internal IDP
    External IDP
    Where dousers of an application come from
  • 8. What Do We Mean by Distributed Identity?
    Resource/
    Services
    Resource/
    Services
    App
    App
  • 9. An Example: eBay Application Platform (AP)
    A Platform for building and operating distributed applications.
    Uses an internal cloud as application operation environment.
    Runs most of what you see on eBay.com
    Consists of a portfolio of services and a standard application container (Java)
  • 10. An Example: eBay Application Platform
    Identity
    3P Application
    eBay Motors
    Fashion Shop
    Java Container
    Identity
    Services
    Tracking
    Billing
    Storage
    Payment
    Messaging
    Search
    Cart
    Checkout
    Similarity
    Preferences
    Tax
  • 11. Application Platform had to support
    Manage identity of apps, services, all end user.
    Support direct authN as well as delegated and delegating authZ cases. (more on this in a bit)
    Manage and enforce policies for groups of resources with heterogynous security policies
    Plus Federated SSO, Impersonation, Integrating acquisitions, mobile authentication etc.
    The rest is what we learned doing this…
  • 12. Don’t we have SAML, OAuth, OpenID … for this?
    3M - Management, Monitoring, Measuring
    Service Provider/RP
    Message Bus
    STS
    Directory
    Service
    Guard
    Provisioning
    Distribution
    Consumer
  • 13. …And thisis what it looks like at eBay
    3M – Management, Monitoring, Measurement
    Local Account
    SP/
    RP
    SP/
    RP
    PKI
    Directory
    Service
    Mgmt.
    Tools
    Policy
    Service
    AuthZ
    Account
    Linking
    AuthN
    P
    A
    M
    STS
    Risk
    Entity Resolution
    Privilege
    [Granting]
    Authority
    Consumer
    Secure
    Storage
    Receptors
    Verification &
    Assurances
    Reg.
    Primary
    Authenticators
    (Federated)
  • 14. Ten Best Practices
    Before you start
  • 15. Establish Reference Model
    SP/RP
    STS
    G
    Consumer
  • 16. Establish Reference Model
    SP/RP
    STS
    IDP
    STS
    G
    Consumer
  • 17. Establish Reference Model
    3M (Manage, Measure, Monitor)
    SP/RP
    STS
    IDP
    STS
    G
    Consumer
  • 18. Establish Reference Model
    3M (Manage, Measure, Monitor)
    SP/RP
    STS
    IDP
    STS
    G
    Consumer
  • 19. Establish Reference Model
    3M (Manage, Measure, Monitor)
    SP/RP
    IDP
    STS
    G
    Consumer
    IDP
    STS
    G
    AuthN
  • 20. 3M
    SP/RP
    IDP
    STS
    Isolate RP from Identity Source
    Consumer
    Consumer
    Application deployed in cloud should not make any assumptions about:
    Source of identity
    Authentication mechanisms
    Applications operate based on a well known Identity context and policy expression framework.
    Application should maintain a local account and platform should provide an Account Linking/Mapping service.
  • 21. 3M
    SP/RP
    IDP
    STS
    Primary Authentication vs. Token Authentication
    Consumer
    Consumer
    Primary credential should never be submitted to SP/RP.
    Primary credential couples RP/SP to IDP implementation and authentication mechanisms detail.
    More than likely leads to RP issued tokens and token type proliferations.
    Primary credential should only be exchanged with a STS issued token.
  • 22. 3M
    SP/RP
    IDP
    STS
    Direct vs. Delegated Authentication
    Consumer
    Consumer
    Direct: Authenticating to access a resource on you own behalf.
    Delegated: Systems to allow 3P application to obtain a token and call services on behalf of your users.
    Delegating: System that is the custodian of tokens received from 3P resources to allow YOUR application to make call to on behalf of 3P users.
  • 23. Direct, Delegated and Delegating
    Resource/
    Services
    Resource/
    Services
    Resource/
    Services
    Delegating
    Delegated To
    Direct
    App
    App
    App
  • 24. 3M
    SP/RP
    IDP
    STS
    Think Protocol, Token, Binding, Policy
    Consumer
    Consumer
    The communication foundation of architectural components
    Tokens: How assertions and claims are encoded
    Protocols: How Tokens are requested, validated, exchanged, renewed and de-referenced
    Binding: How protocol is carried over a lower level transport such as HTTP or SOAP.
    Policy: How policies are expressed, enforced and managed.
  • 25. 3M
    SP/RP
    IDP
    STS
    Use/Design the Right STS
    Consumer
    Consumer
    • Primary Authentication with Multi-IDP/Identity directory
    • 26. Multiple Encoding
    • 27. Multi-Mode
    • 28. Policy Driven
    • 29. Pluggable Attribute Provider
    • 30. Federation and token exchange
    • 31. We use an internal STS called IAF
  • 3M
    SP/RP
    IDP
    STS
    Use Standard Guards
    Consumer
    Consumer
    • Validate and process tokens
    • 32. Transform tokens to a canonical form useable by RP
    • 33. POE of all policies
    • 34. Implemented as ESB handler or in process Java handlers
  • 3M
    SP/RP
    IDP
    STS
    Establish Security Domains & Separate Logical and Physical
    Consumer
    Consumer
    Policy
    1
    1
    N
    STS
    Security Domain
    SP
    0..N
    IDP
  • 35. Security Domains Illustrated
    I
  • 36. 3M
    SP/RP
    IDP
    STS
    Establish Security Domains & Separate Logical and Physical
    Consumer
    Consumer
    • Sec Domain: A group of SPs that are governed by the same policies
    • 37. Policies: Protection Tokens, Session, Native IDPs, Transport Security
    • 38. Security Domain is a security boundary
    • 39. A STS to mint the tokens for the domain
    • 40. Security Domain meta data provider
  • 3M
    SP/RP
    IDP
    STS
    Think Federation not Centralization
    Consumer
    Consumer
    • Which SPs can be accessed with the same token?
    • 41. Can a user logs into eBay if she is logged into PayPal?
    • 42. Can an eBay seller use Google Calendar directly from eBay?
    • 43. Can StubHub check out application call eBay Tax Service?
    • 44. Can Half.com use eBay Shopping Cart service Tax Service?
  • Federation of Security Domains
    I
  • 45. 3M
    SP/RP
    Design with 3M in mind
    IDP
    STS
    Consumer
    Consumer
    • Design in a way that someone else can manage the system.
    • 46. How many security domains are there?
    • 47. What are the protection token policies of each?
    • 48. What are the roles in each security domain?
    • 49. Where and what are the federation agreements ?
    • 50. How are roles mapped among domains?
    • 51. How do I rotate keys for a domain?
    • 52. How many tokens issued, revoked, renewed, used?
  • If you forget everything, remember this…
    Platform Designers
    • Identity Architecture is the first thing you should put in place (right after your business model)
    • 53. Architecture at least should include IDP, STS, Guard and 3M
    • 54. Manage Tokens like an enterprise asset.
    • 55. Any retrofit or redesign is deceptively costly and risky
    Application Designers
    Design with the assumptions that
    - No control over the source of identity
    • No control over the format of token
    • 56. No direct access to where identity attributes are stored
    • 57. A standard identity context and identity context provider
  • Questions?
    Thank you.
  • 58. Backup Slides
  • 59. IAF (eBay STS) Service Interface
    SOA Admin.
    IAF Authentication
    Direct Authentication
    Delegated Authentication
    Federations
    Guard Utility

×