More Related Content More from Nat Sakimura (20) OpenID Connect - how it solves enterprise problems1. Nomura Research Institute
Cloud Identity Summit 2013
OpenID Connect:
How it solves your problems
July 10, 2013
Nat Sakimura
Nomura Research Institute
Chairman, The OpenID Foundation
@_nat_en
http://nat.sakimura.org/
2. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
B2E Identity
B2C Identity
G2C Identity (source of pictures)Microsoft Office Online
G2E Identity
3. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
"Why OpenID Connect is relevant
for us enterprise?
It's a consumer technology,
is it not?"
4. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Not quite.
because I have very enterprizy background…
5. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
OpenID Connect
was built with
Enterprise use in
mind (as well as
consumer use);
helps you build
effective access
governance over
cloud services
6. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
What are the de facto federation
and account provisioning
protocols?
7. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Identity
Federation
•SAML?
Account
Provisioning
•SPML?
8. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
9. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Identity
Federation
•Password
Sharing
Account
Provisioning
•Custom
CSV
10. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Why did we fail?
11. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Too complex to understand.
cognitive difficulty -> Support difficulty
Different products did not interoperate.
A large Japanese manufacturer:
▪ > 3000 partners all around the world
▪ Many of them were working with multiple companies
▪ Tried to create a SAML federation but failed.
12. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
CSV is easy.
• Hey, you just
need Excel!
And you can
manually edit
them!
Password
Sharing is easy.
• Hey, it works
on any
application
that supports
password!
13. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Lots of (hidden) problems…
14. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Anything that more than 3 people
knows is not a secret!
Can easily get out of sync.
Allowing manual edit is a risk.
De-provisioning? Archiving?
Are you getting audit trail of the
access to those systems?
etc…
15. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
#fail
16. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Let’s re-do.
This time, dead simple.
Yes, we are reinventing a wheel, but
This time, it will be a little rounder.
17. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
OpenID Connect
& SCIM
18. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
SAML v.s. OpenID Connect
SAML Web SSO OpenID Connect
XML JSON
XML Dsig JSON Web Signature
(JWS)
XML Encryption JSON Web Encryption
(JWE)
SAML JSON Web Token
SAML Assertion ID Token (OIDC)
SOAP (mostly…) REST
SAML Web SSO Profile Standard (=OAuth 2.0
binding)
SPML SCIM
19. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
identity
set of attributes related to an
entity
ISO/IEC 29115 | ITU-T X.1254
Note: distinguish identity and identifier carefully.
20. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
An example of simplistic enterprise “identity”
Employee number: A12349898
Name: John Smith
Position: General Manager
Department: Finance
Company: ABCD Holding
Location: NYHQ
Datetime: 29130809T12:34:11Z
21. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Employee number: A12349898
Name: John Smith
Position: General Manager
Department: Finance
Company: ABCD Holding
Location: NYHQ
Datetime: 29130809T12:34:11Z
logging
User interface
Access Contro
info
22. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Real
Name
Professional
qualification
department
Geo-location
Employee
number
Entity Identity Resource
Authentication
Policy Enforcement
Rules
23. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
ABAC
Based on SP800-162 figure on page viii
identity
Resource
Rules
entity
24. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Real
Name
Professional
qualification
department
Geo-location
Employee
number
Entity Identity
Resource
Authentication PEP
PDP
PAP
Boss Metadata
Log Log
25. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Requirements
R1
• Access Control MUST be done with the dynamic attributes
R2
• Identity MUST be provided from the authoritative source
R3
• Need to be able to provide flexible security.
R4
• Need to be dead simple.
R5
• Interoperability is the king.
R6
• Limited connection (esp. mobile) ready.
R7
• Unified technology for enterprise and consumer.
26. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Real
Name
Professional
qualification
department
Geo-location
Employee
number
Entity Identity
Resource
Authentication PEP
PDP
PAP
Boss Metadata
Log Log
27. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Deployment Experiences
of OpenID Connect
28. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
What kind of deployment have we done?
Windows Domain integration
SMTP/IMAP/SSH & OpenID Connect
A large provider integration
Privacy Proxy
29. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Windows Domain Integration
AD
Connect
Server
Access
Log
Service
Servic
e
Service
Service
Registration
Discovery
HR
System
30. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Easy to implement
• Building was easy;
• Deployment was easy partly because you can
“provision” the linked accounts;
Nice user experience for enterprise users
• No login dialogues; Leverage on Windows Logon;
• No consent – as it is administered by the admin,
and it is following privacy rules;
• Help Avoid “Pavlov’s Dog Problem”
31. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Turning Internet Dog to Pavlov’s Dog
32
(Source) Based on IIW dog
32. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
But what about other protocols?
SMTP / IMAP / SSH etc.
Application Passwords …
33. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
PAM Module for OpenID Connect
SMTP
IMAP
SSH
PAM
OIDC
Plugin
OpenID Connect
Server
Thunde
rbrid
Web
Browse
r
Token
Token
as Password
Token Introspection
34. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Make sure to follow verification rules
• Some implementation were bitten by not following MUSTs.
Never send an access token without accompanying
ID Token to any other clients.
• Otherwise, you will be subject to token swap attack.
• http://www.thread-safe.com/2012/01/problem-with-oauth-for-
authentication.html
Care should be taken for “code” and “token” server-
side verification
• Maybe not so acute in most enterprise deployment, but in one of
the consumer solution that we help run, it is doing 2000 tr/sec
35. © 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
36