Oidc how it solves your problems

3,634
-1

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,634
On Slideshare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Oidc how it solves your problems

  1. 1. Cloud Identity Summit 2013 報告 OpenID Connectは、 あなたの課題をどう解いてくれる か? 2013/9/4 Nat Sakimura Nomura Research Institute Chairman, The OpenID Foundation @_nat_en http://nat.sakimura.org/
  2. 2. © 2013 by Nomura Research Institute. All rights reserved. B2E Identity B2C Identity G2C Identity (source of pictures)Microsoft Office Online G2E Identity
  3. 3. © 2013 by Nomura Research Institute. All rights reserved. 「エンプラにOpenID Connect っ て 関係あるの? コンシューマ向け技術じゃない の?」
  4. 4. © 2013 by Nomura Research Institute. All rights reserved. Not quite. because I have very enterprizy background…
  5. 5. © 2013 by Nomura Research Institute. All rights reserved. OpenID Connect は、エンプラ利用を念 頭において作られまし た。(コンシューマも だけど) クラウドサービスに アクセスガバナンス を作るのに有効です。
  6. 6. © 2013 by Nomura Research Institute. All rights reserved. デファクトのフェデレーションと アクセスプロビジョニングプロト コルは何?
  7. 7. © 2013 by Nomura Research Institute. All rights reserved. Identity Federation •SAML? Account Provisioning •SPML?
  8. 8. © 2013 by Nomura Research Institute. All rights reserved.
  9. 9. © 2013 by Nomura Research Institute. All rights reserved. Identity Federation •パスワード 共有 Account Provisioning •カスタム CSV
  10. 10. © 2013 by Nomura Research Institute. All rights reserved. なぜ失敗したか?
  11. 11. © 2013 by Nomura Research Institute. All rights reserved. 理解するのに難しすぎ。 認知上の困難さ -> 実装の困難さ プロダクト間の互換性の低さ ある大規模製造業: ▪ > 3000 partners all around the world ▪ Many of them were working with multiple companies ▪ Tried to create a SAML federation but failed.
  12. 12. © 2013 by Nomura Research Institute. All rights reserved. CSV は簡単. • Excelあれば OK! • それに手動で 編集できる よ! パスワード共 有も簡単. • パスワードを サポートして いる全アプリ ケーションで 使えるよ!
  13. 13. © 2013 by Nomura Research Institute. All rights reserved. やったね!
  14. 14. © 2013 by Nomura Research Institute. All rights reserved. やったね???
  15. 15. © 2013 by Nomura Research Institute. All rights reserved. 3人以上が知っているものは秘密 じゃない! 同期が崩れやすい。 手動編集はリスクだ。 De-provisioning? Archiving? 監査証跡は? etc…
  16. 16. © 2013 by Nomura Research Institute. All rights reserved. #fail
  17. 17. © 2013 by Nomura Research Institute. All rights reserved. やりなおしだ! 今回は、死ぬほど簡単に! 車輪の再発明?そうだ。 だけど、今回の車輪はもうちょっと丸い。
  18. 18. © 2013 by Nomura Research Institute. All rights reserved. OpenID Connect & SCIM
  19. 19. © 2013 by Nomura Research Institute. All rights reserved. SAML v.s. OpenID Connect SAML Web SSO OpenID Connect XML JSON XML Dsig JSON Web Signature (JWS) XML Encryption JSON Web Encryption (JWE) SAML JSON Web Token SAML Assertion ID Token (OIDC) SOAP (mostly…) REST SAML Web SSO Profile Standard (=OAuth 2.0 binding) SPML SCIM
  20. 20. © 2013 by Nomura Research Institute. All rights reserved. identity 実体に関連する属性の集合 ISO/IEC 29115 | ITU-T X.1254 Note: distinguish identity and identifier carefully.
  21. 21. © 2013 by Nomura Research Institute. All rights reserved. “identity”の例 社員番号: A12349898 氏名: 山田太郎 役職: 部長 部署: 財務部 会社: ABCD ホールディング 場所: NYHQ 日時: 29130809T12:34:11Z
  22. 22. © 2013 by Nomura Research Institute. All rights reserved. 社員番号: A12349898 氏名: 山田太郎 役職: 部長 部署: 財務部 会社: ABCD ホールディング 場所: NYHQ 日時: 29130809T12:34:11Z logging User interface Access Contro info
  23. 23. © 2013 by Nomura Research Institute. All rights reserved. Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication Policy Enforcement Rules
  24. 24. © 2013 by Nomura Research Institute. All rights reserved. ABAC Based on SP800-162 figure on page viii identity Resource Rules entity
  25. 25. © 2013 by Nomura Research Institute. All rights reserved. 要件 R1 • Access Control MUST be done with the dynamic attributes R2 • Identity MUST be provided from the authoritative source R3 • Need to be able to provide flexible security. R4 • Need to be dead simple. R5 • Interoperability is the king. R6 • Limited connection (esp. mobile) ready. R7 • Unified technology for enterprise and consumer.
  26. 26. © 2013 by Nomura Research Institute. All rights reserved. 氏名 資格 部署 位置情報 社員番号 役職 Entity Identity Resource Authentication PEP PDP PAP / PIP Boss Metadata Log Log Application Accounts アカウント・プロビジョニング 認証 e.g., OpenID/SAML e.g., SCIM / SPML アクセス制御(認可) e.g., XACML/ JACML?
  27. 27. © 2013 by Nomura Research Institute. All rights reserved. OpenID Connectの 実装経験より
  28. 28. © 2013 by Nomura Research Institute. All rights reserved. ちゃんと MUST は守りましょう。 • いくつかの実装は MUST を実装せずにセキュリティ・ホールを生んで いました。. アクセストークンを、IDトークン抜きで他のクライアント や機械に送らないように。 • トークン置換え攻撃に脆弱になります。 • http://www.thread-safe.com/2012/01/problem-with-oauth-for- authentication.html “code” や “token” のサーバーサイドでの処理の負荷には十 分気をつけること。 • ある実装では、2000 tr/秒 処理しているが、このようなときには、署 名処理・暗号化処理の負荷を十分気をつける必要あり。
  29. 29. © 2013 by Nomura Research Institute. All rights reserved. 30
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×