Your SlideShare is downloading. ×
OpenID Connect - how it solves enterprise problems
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

OpenID Connect - how it solves enterprise problems

933
views

Published on

OpenID Connect is an identity layer on top of OAuth 2.0 Authorization Framework. This session gives an overview of the underlying concept and how it can help you solve your problems.

OpenID Connect is an identity layer on top of OAuth 2.0 Authorization Framework. This session gives an overview of the underlying concept and how it can help you solve your problems.

Published in: Technology, Health & Medicine

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
933
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
37
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Nomura Research Institute Cloud Identity Summit 2013 OpenID Connect: How it solves your problems July 10, 2013 Nat Sakimura Nomura Research Institute Chairman, The OpenID Foundation @_nat_en http://nat.sakimura.org/
  • 2. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute B2E Identity B2C Identity G2C Identity (source of pictures)Microsoft Office Online G2E Identity
  • 3. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute "Why OpenID Connect is relevant for us enterprise? It's a consumer technology, is it not?"
  • 4. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Not quite. because I have very enterprizy background…
  • 5. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute OpenID Connect was built with Enterprise use in mind (as well as consumer use); helps you build effective access governance over cloud services
  • 6. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute What are the de facto federation and account provisioning protocols?
  • 7. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Identity Federation •SAML? Account Provisioning •SPML?
  • 8. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute
  • 9. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Identity Federation •Password Sharing Account Provisioning •Custom CSV
  • 10. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Why did we fail?
  • 11. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Too complex to understand. cognitive difficulty -> Support difficulty Different products did not interoperate. A large Japanese manufacturer: ▪ > 3000 partners all around the world ▪ Many of them were working with multiple companies ▪ Tried to create a SAML federation but failed.
  • 12. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute CSV is easy. • Hey, you just need Excel! And you can manually edit them! Password Sharing is easy. • Hey, it works on any application that supports password!
  • 13. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Lots of (hidden) problems…
  • 14. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Anything that more than 3 people knows is not a secret! Can easily get out of sync. Allowing manual edit is a risk. De-provisioning? Archiving? Are you getting audit trail of the access to those systems? etc…
  • 15. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute #fail
  • 16. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Let’s re-do. This time, dead simple. Yes, we are reinventing a wheel, but This time, it will be a little rounder.
  • 17. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute OpenID Connect & SCIM
  • 18. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute SAML v.s. OpenID Connect SAML Web SSO OpenID Connect XML JSON XML Dsig JSON Web Signature (JWS) XML Encryption JSON Web Encryption (JWE) SAML JSON Web Token SAML Assertion ID Token (OIDC) SOAP (mostly…) REST SAML Web SSO Profile Standard (=OAuth 2.0 binding) SPML SCIM
  • 19. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute identity set of attributes related to an entity ISO/IEC 29115 | ITU-T X.1254 Note: distinguish identity and identifier carefully.
  • 20. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute An example of simplistic enterprise “identity” Employee number: A12349898 Name: John Smith Position: General Manager Department: Finance Company: ABCD Holding Location: NYHQ Datetime: 29130809T12:34:11Z
  • 21. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Employee number: A12349898 Name: John Smith Position: General Manager Department: Finance Company: ABCD Holding Location: NYHQ Datetime: 29130809T12:34:11Z logging User interface Access Contro info
  • 22. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication Policy Enforcement Rules
  • 23. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute ABAC Based on SP800-162 figure on page viii identity Resource Rules entity
  • 24. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication PEP PDP PAP Boss Metadata Log Log
  • 25. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Requirements R1 • Access Control MUST be done with the dynamic attributes R2 • Identity MUST be provided from the authoritative source R3 • Need to be able to provide flexible security. R4 • Need to be dead simple. R5 • Interoperability is the king. R6 • Limited connection (esp. mobile) ready. R7 • Unified technology for enterprise and consumer.
  • 26. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication PEP PDP PAP Boss Metadata Log Log
  • 27. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Deployment Experiences of OpenID Connect
  • 28. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute What kind of deployment have we done? Windows Domain integration SMTP/IMAP/SSH & OpenID Connect A large provider integration Privacy Proxy
  • 29. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Windows Domain Integration AD Connect Server Access Log Service Servic e Service Service Registration Discovery HR System
  • 30. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Easy to implement • Building was easy; • Deployment was easy partly because you can “provision” the linked accounts; Nice user experience for enterprise users • No login dialogues; Leverage on Windows Logon; • No consent – as it is administered by the admin, and it is following privacy rules; • Help Avoid “Pavlov’s Dog Problem”
  • 31. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Turning Internet Dog to Pavlov’s Dog 32 (Source) Based on IIW dog
  • 32. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute But what about other protocols? SMTP / IMAP / SSH etc. Application Passwords …
  • 33. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute PAM Module for OpenID Connect SMTP IMAP SSH PAM OIDC Plugin OpenID Connect Server Thunde rbrid Web Browse r Token Token as Password Token Introspection
  • 34. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Make sure to follow verification rules • Some implementation were bitten by not following MUSTs. Never send an access token without accompanying ID Token to any other clients. • Otherwise, you will be subject to token swap attack. • http://www.thread-safe.com/2012/01/problem-with-oauth-for- authentication.html Care should be taken for “code” and “token” server- side verification • Maybe not so acute in most enterprise deployment, but in one of the consumer solution that we help run, it is doing 2000 tr/sec
  • 35. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute 36