SlideShare a Scribd company logo

OpenID Connect - how it solves enterprise problems

Download as PPTX, PDF
Nat Sakimura
Nat Sakimura

OpenID Connect is an identity layer on top of OAuth 2.0 Authorization Framework. This session gives an overview of the underlying concept and how it can help you solve your problems.

TechnologyHealth & Medicine
1 of 35
Nomura Research Institute Cloud Identity Summit 2013 OpenID Connect: How it solves your problems July 10, 2013 Nat Sakimura Nomura Research Institute Chairman, The OpenID Foundation @_nat_en http://nat.sakimura.org/
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute B2E Identity B2C Identity G2C Identity (source of pictures)Microsoft Office Online G2E Identity
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute "Why OpenID Connect is relevant for us enterprise? It's a consumer technology, is it not?"
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Not quite. because I have very enterprizy background…
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute OpenID Connect was built with Enterprise use in mind (as well as consumer use); helps you build effective access governance over cloud services
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute What are the de facto federation and account provisioning protocols?
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Identity Federation •SAML? Account Provisioning •SPML?
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Identity Federation •Password Sharing Account Provisioning •Custom CSV
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Why did we fail?
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Too complex to understand. cognitive difficulty -> Support difficulty Different products did not interoperate. A large Japanese manufacturer: ▪ > 3000 partners all around the world ▪ Many of them were working with multiple companies ▪ Tried to create a SAML federation but failed.
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute CSV is easy. • Hey, you just need Excel! And you can manually edit them! Password Sharing is easy. • Hey, it works on any application that supports password!
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Lots of (hidden) problems…
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Anything that more than 3 people knows is not a secret! Can easily get out of sync. Allowing manual edit is a risk. De-provisioning? Archiving? Are you getting audit trail of the access to those systems? etc…
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute #fail
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Let’s re-do. This time, dead simple. Yes, we are reinventing a wheel, but This time, it will be a little rounder.
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute OpenID Connect & SCIM
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute SAML v.s. OpenID Connect SAML Web SSO OpenID Connect XML JSON XML Dsig JSON Web Signature (JWS) XML Encryption JSON Web Encryption (JWE) SAML JSON Web Token SAML Assertion ID Token (OIDC) SOAP (mostly…) REST SAML Web SSO Profile Standard (=OAuth 2.0 binding) SPML SCIM
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute identity set of attributes related to an entity ISO/IEC 29115 | ITU-T X.1254 Note: distinguish identity and identifier carefully.
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute An example of simplistic enterprise “identity” Employee number: A12349898 Name: John Smith Position: General Manager Department: Finance Company: ABCD Holding Location: NYHQ Datetime: 29130809T12:34:11Z
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Employee number: A12349898 Name: John Smith Position: General Manager Department: Finance Company: ABCD Holding Location: NYHQ Datetime: 29130809T12:34:11Z logging User interface Access Contro info
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication Policy Enforcement Rules
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute ABAC Based on SP800-162 figure on page viii identity Resource Rules entity
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication PEP PDP PAP Boss Metadata Log Log
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Requirements R1 • Access Control MUST be done with the dynamic attributes R2 • Identity MUST be provided from the authoritative source R3 • Need to be able to provide flexible security. R4 • Need to be dead simple. R5 • Interoperability is the king. R6 • Limited connection (esp. mobile) ready. R7 • Unified technology for enterprise and consumer.
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication PEP PDP PAP Boss Metadata Log Log
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Deployment Experiences of OpenID Connect
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute What kind of deployment have we done? Windows Domain integration SMTP/IMAP/SSH & OpenID Connect A large provider integration Privacy Proxy
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Windows Domain Integration AD Connect Server Access Log Service Servic e Service Service Registration Discovery HR System
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Easy to implement • Building was easy; • Deployment was easy partly because you can “provision” the linked accounts; Nice user experience for enterprise users • No login dialogues; Leverage on Windows Logon; • No consent – as it is administered by the admin, and it is following privacy rules; • Help Avoid “Pavlov’s Dog Problem”
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Turning Internet Dog to Pavlov’s Dog 32 (Source) Based on IIW dog
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute But what about other protocols? SMTP / IMAP / SSH etc. Application Passwords …
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute PAM Module for OpenID Connect SMTP IMAP SSH PAM OIDC Plugin OpenID Connect Server Thunde rbrid Web Browse r Token Token as Password Token Introspection
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Make sure to follow verification rules • Some implementation were bitten by not following MUSTs. Never send an access token without accompanying ID Token to any other clients. • Otherwise, you will be subject to token swap attack. • http://www.thread-safe.com/2012/01/problem-with-oauth-for- authentication.html Care should be taken for “code” and “token” server- side verification • Maybe not so acute in most enterprise deployment, but in one of the consumer solution that we help run, it is doing 2000 tr/sec
© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute 36

Recommended

OpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WGOpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WG
Nat Sakimura
 
FAPI and beyond - よりよいセキュリティのために
FAPI and beyond - よりよいセキュリティのためにFAPI and beyond - よりよいセキュリティのために
FAPI and beyond - よりよいセキュリティのために
Nat Sakimura
 
OpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the FutureOpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the Future
Nat Sakimura
 
170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English Translation170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English Translation
Nat Sakimura
 
Introduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 Updates
Introduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 UpdatesIntroduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 Updates
Introduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 Updates
Nat Sakimura
 
Introduction to the FAPI Read & Write OAuth Profile
Introduction to the FAPI Read & Write OAuth ProfileIntroduction to the FAPI Read & Write OAuth Profile
Introduction to the FAPI Read & Write OAuth Profile
Nat Sakimura
 
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
Nat Sakimura
 
ブロックチェーン〜信頼の源泉の民主化のもたらす変革
ブロックチェーン〜信頼の源泉の民主化のもたらす変革ブロックチェーン〜信頼の源泉の民主化のもたらす変革
ブロックチェーン〜信頼の源泉の民主化のもたらす変革
Nat Sakimura
 

Recommended

OpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WGOpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WG
Nat Sakimura
 
FAPI and beyond - よりよいセキュリティのために
FAPI and beyond - よりよいセキュリティのためにFAPI and beyond - よりよいセキュリティのために
FAPI and beyond - よりよいセキュリティのために
Nat Sakimura
 
OpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the FutureOpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the Future
Nat Sakimura
 
170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English Translation170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English Translation
Nat Sakimura
 
Introduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 Updates
Introduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 UpdatesIntroduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 Updates
Introduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 Updates
Nat Sakimura
 
Introduction to the FAPI Read & Write OAuth Profile
Introduction to the FAPI Read & Write OAuth ProfileIntroduction to the FAPI Read & Write OAuth Profile
Introduction to the FAPI Read & Write OAuth Profile
Nat Sakimura
 
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
Nat Sakimura
 
ブロックチェーン〜信頼の源泉の民主化のもたらす変革
ブロックチェーン〜信頼の源泉の民主化のもたらす変革ブロックチェーン〜信頼の源泉の民主化のもたらす変革
ブロックチェーン〜信頼の源泉の民主化のもたらす変革
Nat Sakimura
 
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...
Nat Sakimura
 
OpenID Foundation FAPI WG: June 2017 Update
OpenID Foundation FAPI WG: June 2017 UpdateOpenID Foundation FAPI WG: June 2017 Update
OpenID Foundation FAPI WG: June 2017 Update
Nat Sakimura
 
API Days 2016 Day 1: OpenID Financial API WG
API Days 2016 Day 1: OpenID Financial API WGAPI Days 2016 Day 1: OpenID Financial API WG
API Days 2016 Day 1: OpenID Financial API WG
Nat Sakimura
 
Financial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID ConnectFinancial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID Connect
Nat Sakimura
 
OpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WGOpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WG
Nat Sakimura
 
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
Nat Sakimura
 
OAuth SPOP @ IETF 91
OAuth SPOP @ IETF 91OAuth SPOP @ IETF 91
OAuth SPOP @ IETF 91
Nat Sakimura
 
Oidc how it solves your problems
Oidc how it solves your problemsOidc how it solves your problems
Oidc how it solves your problems
Nat Sakimura
 
Transient client secret extension
Transient client secret extensionTransient client secret extension
Transient client secret extension
Nat Sakimura
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604
Nat Sakimura
 
Smartphone Native Application OP
Smartphone Native Application OPSmartphone Native Application OP
Smartphone Native Application OP
Nat Sakimura
 
Open idとcyber空間
Open idとcyber空間Open idとcyber空間
Open idとcyber空間
Nat Sakimura
 
サイバー空間上の信頼フレームワークとパーソナルデータ経済
サイバー空間上の信頼フレームワークとパーソナルデータ経済サイバー空間上の信頼フレームワークとパーソナルデータ経済
サイバー空間上の信頼フレームワークとパーソナルデータ経済
Nat Sakimura
 
Closing Note
Closing NoteClosing Note
Closing Note
Nat Sakimura
 
20110706 PIDSプロジェクト中間報告
20110706 PIDSプロジェクト中間報告20110706 PIDSプロジェクト中間報告
20110706 PIDSプロジェクト中間報告
Nat Sakimura
 
Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011
Nat Sakimura
 
国民ID制度とトラスト・フレームワーク
国民ID制度とトラスト・フレームワーク国民ID制度とトラスト・フレームワーク
国民ID制度とトラスト・フレームワーク
Nat Sakimura
 
Introduction to OpenID TX proposed extension
Introduction to OpenID TX proposed extensionIntroduction to OpenID TX proposed extension
Introduction to OpenID TX proposed extension
Nat Sakimura
 
Sharing the Success of OpenID Japan Success
Sharing the Success of OpenID Japan SuccessSharing the Success of OpenID Japan Success
Sharing the Success of OpenID Japan Success
Nat Sakimura
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Zilliz
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
 

More Related Content

More from Nat Sakimura

車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
Nat Sakimura
 
Oidc how it solves your problems
Oidc how it solves your problemsOidc how it solves your problems
Oidc how it solves your problems
Nat Sakimura
 
Transient client secret extension
Transient client secret extensionTransient client secret extension
Transient client secret extension
Nat Sakimura
 
Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604
Nat Sakimura
 
Open idとcyber空間
Open idとcyber空間Open idとcyber空間
Open idとcyber空間
Nat Sakimura
 
Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011
Nat Sakimura
 

More from Nat Sakimura (20)

Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...
 
OpenID Foundation FAPI WG: June 2017 Update
OpenID Foundation FAPI WG: June 2017 UpdateOpenID Foundation FAPI WG: June 2017 Update
OpenID Foundation FAPI WG: June 2017 Update
 
API Days 2016 Day 1: OpenID Financial API WG
API Days 2016 Day 1: OpenID Financial API WGAPI Days 2016 Day 1: OpenID Financial API WG
API Days 2016 Day 1: OpenID Financial API WG
 
Financial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID ConnectFinancial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID Connect
 
OpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WGOpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WG
 
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
 
OAuth SPOP @ IETF 91
OAuth SPOP @ IETF 91OAuth SPOP @ IETF 91
OAuth SPOP @ IETF 91
 
Oidc how it solves your problems
Oidc how it solves your problemsOidc how it solves your problems
Oidc how it solves your problems
 
Transient client secret extension
Transient client secret extensionTransient client secret extension
Transient client secret extension
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604
 
Smartphone Native Application OP
Smartphone Native Application OPSmartphone Native Application OP
Smartphone Native Application OP
 
Open idとcyber空間
Open idとcyber空間Open idとcyber空間
Open idとcyber空間
 
サイバー空間上の信頼フレームワークとパーソナルデータ経済
サイバー空間上の信頼フレームワークとパーソナルデータ経済サイバー空間上の信頼フレームワークとパーソナルデータ経済
サイバー空間上の信頼フレームワークとパーソナルデータ経済
 
Closing Note
Closing NoteClosing Note
Closing Note
 
20110706 PIDSプロジェクト中間報告
20110706 PIDSプロジェクト中間報告20110706 PIDSプロジェクト中間報告
20110706 PIDSプロジェクト中間報告
 
Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011
 
国民ID制度とトラスト・フレームワーク
国民ID制度とトラスト・フレームワーク国民ID制度とトラスト・フレームワーク
国民ID制度とトラスト・フレームワーク
 
Introduction to OpenID TX proposed extension
Introduction to OpenID TX proposed extensionIntroduction to OpenID TX proposed extension
Introduction to OpenID TX proposed extension
 
Sharing the Success of OpenID Japan Success
Sharing the Success of OpenID Japan SuccessSharing the Success of OpenID Japan Success
Sharing the Success of OpenID Japan Success
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Recently uploaded (20)

Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 

OpenID Connect - how it solves enterprise problems

  • 1. Nomura Research Institute Cloud Identity Summit 2013 OpenID Connect: How it solves your problems July 10, 2013 Nat Sakimura Nomura Research Institute Chairman, The OpenID Foundation @_nat_en http://nat.sakimura.org/
  • 2. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute B2E Identity B2C Identity G2C Identity (source of pictures)Microsoft Office Online G2E Identity
  • 3. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute "Why OpenID Connect is relevant for us enterprise? It's a consumer technology, is it not?"
  • 4. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Not quite. because I have very enterprizy background…
  • 5. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute OpenID Connect was built with Enterprise use in mind (as well as consumer use); helps you build effective access governance over cloud services
  • 6. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute What are the de facto federation and account provisioning protocols?
  • 7. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Identity Federation •SAML? Account Provisioning •SPML?
  • 8. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute
  • 9. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Identity Federation •Password Sharing Account Provisioning •Custom CSV
  • 10. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Why did we fail?
  • 11. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Too complex to understand. cognitive difficulty -> Support difficulty Different products did not interoperate. A large Japanese manufacturer: ▪ > 3000 partners all around the world ▪ Many of them were working with multiple companies ▪ Tried to create a SAML federation but failed.
  • 12. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute CSV is easy. • Hey, you just need Excel! And you can manually edit them! Password Sharing is easy. • Hey, it works on any application that supports password!
  • 13. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Lots of (hidden) problems…
  • 14. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Anything that more than 3 people knows is not a secret! Can easily get out of sync. Allowing manual edit is a risk. De-provisioning? Archiving? Are you getting audit trail of the access to those systems? etc…
  • 15. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute #fail
  • 16. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Let’s re-do. This time, dead simple. Yes, we are reinventing a wheel, but This time, it will be a little rounder.
  • 17. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute OpenID Connect & SCIM
  • 18. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute SAML v.s. OpenID Connect SAML Web SSO OpenID Connect XML JSON XML Dsig JSON Web Signature (JWS) XML Encryption JSON Web Encryption (JWE) SAML JSON Web Token SAML Assertion ID Token (OIDC) SOAP (mostly…) REST SAML Web SSO Profile Standard (=OAuth 2.0 binding) SPML SCIM
  • 19. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute identity set of attributes related to an entity ISO/IEC 29115 | ITU-T X.1254 Note: distinguish identity and identifier carefully.
  • 20. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute An example of simplistic enterprise “identity” Employee number: A12349898 Name: John Smith Position: General Manager Department: Finance Company: ABCD Holding Location: NYHQ Datetime: 29130809T12:34:11Z
  • 21. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Employee number: A12349898 Name: John Smith Position: General Manager Department: Finance Company: ABCD Holding Location: NYHQ Datetime: 29130809T12:34:11Z logging User interface Access Contro info
  • 22. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication Policy Enforcement Rules
  • 23. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute ABAC Based on SP800-162 figure on page viii identity Resource Rules entity
  • 24. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication PEP PDP PAP Boss Metadata Log Log
  • 25. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Requirements R1 • Access Control MUST be done with the dynamic attributes R2 • Identity MUST be provided from the authoritative source R3 • Need to be able to provide flexible security. R4 • Need to be dead simple. R5 • Interoperability is the king. R6 • Limited connection (esp. mobile) ready. R7 • Unified technology for enterprise and consumer.
  • 26. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication PEP PDP PAP Boss Metadata Log Log
  • 27. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Deployment Experiences of OpenID Connect
  • 28. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute What kind of deployment have we done? Windows Domain integration SMTP/IMAP/SSH & OpenID Connect A large provider integration Privacy Proxy
  • 29. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Windows Domain Integration AD Connect Server Access Log Service Servic e Service Service Registration Discovery HR System
  • 30. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Easy to implement • Building was easy; • Deployment was easy partly because you can “provision” the linked accounts; Nice user experience for enterprise users • No login dialogues; Leverage on Windows Logon; • No consent – as it is administered by the admin, and it is following privacy rules; • Help Avoid “Pavlov’s Dog Problem”
  • 31. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Turning Internet Dog to Pavlov’s Dog 32 (Source) Based on IIW dog
  • 32. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute But what about other protocols? SMTP / IMAP / SSH etc. Application Passwords …
  • 33. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute PAM Module for OpenID Connect SMTP IMAP SSH PAM OIDC Plugin OpenID Connect Server Thunde rbrid Web Browse r Token Token as Password Token Introspection
  • 34. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Make sure to follow verification rules • Some implementation were bitten by not following MUSTs. Never send an access token without accompanying ID Token to any other clients. • Otherwise, you will be subject to token swap attack. • http://www.thread-safe.com/2012/01/problem-with-oauth-for- authentication.html Care should be taken for “code” and “token” server- side verification • Maybe not so acute in most enterprise deployment, but in one of the consumer solution that we help run, it is doing 2000 tr/sec
  • 35. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute 36