Oidc how it solves your problems
Upcoming SlideShare
Loading in...5
×
 

Oidc how it solves your problems

on

  • 2,819 views

 

Statistics

Views

Total Views
2,819
Views on SlideShare
950
Embed Views
1,869

Actions

Likes
0
Downloads
12
Comments
0

5 Embeds 1,869

http://www.openid.or.jp 1656
http://openid.allianceport.jp 192
http://openid.or.jp 17
http://translate.googleusercontent.com 2
http://webcache.googleusercontent.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Oidc how it solves your problems Oidc how it solves your problems Presentation Transcript

  • Cloud Identity Summit 2013 報告 OpenID Connectは、 あなたの課題をどう解いてくれる か? 2013/9/4 Nat Sakimura Nomura Research Institute Chairman, The OpenID Foundation @_nat_en http://nat.sakimura.org/
  • © 2013 by Nomura Research Institute. All rights reserved. B2E Identity B2C Identity G2C Identity (source of pictures)Microsoft Office Online G2E Identity
  • © 2013 by Nomura Research Institute. All rights reserved. 「エンプラにOpenID Connect っ て 関係あるの? コンシューマ向け技術じゃない の?」 View slide
  • © 2013 by Nomura Research Institute. All rights reserved. Not quite. because I have very enterprizy background… View slide
  • © 2013 by Nomura Research Institute. All rights reserved. OpenID Connect は、エンプラ利用を念 頭において作られまし た。(コンシューマも だけど) クラウドサービスに アクセスガバナンス を作るのに有効です。
  • © 2013 by Nomura Research Institute. All rights reserved. デファクトのフェデレーションと アクセスプロビジョニングプロト コルは何?
  • © 2013 by Nomura Research Institute. All rights reserved. Identity Federation •SAML? Account Provisioning •SPML?
  • © 2013 by Nomura Research Institute. All rights reserved.
  • © 2013 by Nomura Research Institute. All rights reserved. Identity Federation •パスワード 共有 Account Provisioning •カスタム CSV
  • © 2013 by Nomura Research Institute. All rights reserved. なぜ失敗したか?
  • © 2013 by Nomura Research Institute. All rights reserved. 理解するのに難しすぎ。 認知上の困難さ -> 実装の困難さ プロダクト間の互換性の低さ ある大規模製造業: ▪ > 3000 partners all around the world ▪ Many of them were working with multiple companies ▪ Tried to create a SAML federation but failed.
  • © 2013 by Nomura Research Institute. All rights reserved. CSV は簡単. • Excelあれば OK! • それに手動で 編集できる よ! パスワード共 有も簡単. • パスワードを サポートして いる全アプリ ケーションで 使えるよ!
  • © 2013 by Nomura Research Institute. All rights reserved. やったね!
  • © 2013 by Nomura Research Institute. All rights reserved. やったね???
  • © 2013 by Nomura Research Institute. All rights reserved. 3人以上が知っているものは秘密 じゃない! 同期が崩れやすい。 手動編集はリスクだ。 De-provisioning? Archiving? 監査証跡は? etc…
  • © 2013 by Nomura Research Institute. All rights reserved. #fail
  • © 2013 by Nomura Research Institute. All rights reserved. やりなおしだ! 今回は、死ぬほど簡単に! 車輪の再発明?そうだ。 だけど、今回の車輪はもうちょっと丸い。
  • © 2013 by Nomura Research Institute. All rights reserved. OpenID Connect & SCIM
  • © 2013 by Nomura Research Institute. All rights reserved. SAML v.s. OpenID Connect SAML Web SSO OpenID Connect XML JSON XML Dsig JSON Web Signature (JWS) XML Encryption JSON Web Encryption (JWE) SAML JSON Web Token SAML Assertion ID Token (OIDC) SOAP (mostly…) REST SAML Web SSO Profile Standard (=OAuth 2.0 binding) SPML SCIM
  • © 2013 by Nomura Research Institute. All rights reserved. identity 実体に関連する属性の集合 ISO/IEC 29115 | ITU-T X.1254 Note: distinguish identity and identifier carefully.
  • © 2013 by Nomura Research Institute. All rights reserved. “identity”の例 社員番号: A12349898 氏名: 山田太郎 役職: 部長 部署: 財務部 会社: ABCD ホールディング 場所: NYHQ 日時: 29130809T12:34:11Z
  • © 2013 by Nomura Research Institute. All rights reserved. 社員番号: A12349898 氏名: 山田太郎 役職: 部長 部署: 財務部 会社: ABCD ホールディング 場所: NYHQ 日時: 29130809T12:34:11Z logging User interface Access Contro info
  • © 2013 by Nomura Research Institute. All rights reserved. Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication Policy Enforcement Rules
  • © 2013 by Nomura Research Institute. All rights reserved. ABAC Based on SP800-162 figure on page viii identity Resource Rules entity
  • © 2013 by Nomura Research Institute. All rights reserved. 要件 R1 • Access Control MUST be done with the dynamic attributes R2 • Identity MUST be provided from the authoritative source R3 • Need to be able to provide flexible security. R4 • Need to be dead simple. R5 • Interoperability is the king. R6 • Limited connection (esp. mobile) ready. R7 • Unified technology for enterprise and consumer.
  • © 2013 by Nomura Research Institute. All rights reserved. 氏名 資格 部署 位置情報 社員番号 役職 Entity Identity Resource Authentication PEP PDP PAP / PIP Boss Metadata Log Log Application Accounts アカウント・プロビジョニング 認証 e.g., OpenID/SAML e.g., SCIM / SPML アクセス制御(認可) e.g., XACML/ JACML?
  • © 2013 by Nomura Research Institute. All rights reserved. OpenID Connectの 実装経験より
  • © 2013 by Nomura Research Institute. All rights reserved. ちゃんと MUST は守りましょう。 • いくつかの実装は MUST を実装せずにセキュリティ・ホールを生んで いました。. アクセストークンを、IDトークン抜きで他のクライアント や機械に送らないように。 • トークン置換え攻撃に脆弱になります。 • http://www.thread-safe.com/2012/01/problem-with-oauth-for- authentication.html “code” や “token” のサーバーサイドでの処理の負荷には十 分気をつけること。 • ある実装では、2000 tr/秒 処理しているが、このようなときには、署 名処理・暗号化処理の負荷を十分気をつける必要あり。
  • © 2013 by Nomura Research Institute. All rights reserved. 30