Your SlideShare is downloading. ×

Patterns to Bring Enterprise and Social Identity to the Cloud

579

Published on

In this session, we will look at strategies to incorporate identity into cloud applications. Enterprise …

In this session, we will look at strategies to incorporate identity into cloud applications. Enterprise
identity or social login can both be a part of your go-to-cloud strategy, but you must plan for this
upfront, rather than try to retrofit identity and access control at a later date.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
579
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Pa#erns  to  Bring  Enterprise  and  Social  Iden5ty  to  the  Cloud  SVP  and  Dis5nguished  Engineer  K.  Sco  Morrison  
  • 2. 2        Copyright © 2013 CA. All rights reserved.How many passwords doyou have?
  • 3. 3        Copyright © 2013 CA. All rights reserved.The Italian Solution
  • 4. 4        Copyright © 2013 CA. All rights reserved.Secure InternalNetworkFirewallOur  Basic  Problem  
  • 5. 7        Copyright © 2013 CA. All rights reserved.Trading PartnerSecure InternalNetworkFirewallSuppose  We  Recast  the  Problem?  
  • 6. 8        Copyright © 2013 CA. All rights reserved.Secure InternalNetworkThis  is  Just  Federa@on  Trading PartnerIdPPrincipal
  • 7. 9        Copyright © 2013 CA. All rights reserved.Secure InternalNetworkAdmin  Sets  Up  Trust  Rela@onship  IdPAdmin
  • 8. 11        Copyright © 2013 CA. All rights reserved.Let’s  Call  This  Paern  #1:  SAML-­‐based  Federa5on  IdPServiceProviderMessage +SAMLPrincipalAuthenticateAcquire SAML tokenData1)2)Note that this demonstratesSAML browser POST profile.The artifact profile is harder todo through corporate firewalls
  • 9. 12        Copyright © 2013 CA. All rights reserved.Can  We  Declare  Victory?  ü Basic Federation
  • 10. 13        Copyright © 2013 CA. All rights reserved.What  Does  It  Mean  To  Have  An  Account?  DirectoryObjectsSome CloudServiceAppServer
  • 11. 15        Copyright © 2013 CA. All rights reserved.FirewallWhat  We  Really  Have  A    Synchroniza@on  Problem  ObjectsIdentitiesEnterpriseDirectory
  • 12. 16        Copyright © 2013 CA. All rights reserved.And  What  About  Small  Business?  TravelsMostlyWorks fromhomeWorks fromStarbucks
  • 13. 17        Copyright © 2013 CA. All rights reserved.Look  To  Social  Networking  For  Inspira@on  
  • 14. 18        Copyright © 2013 CA. All rights reserved.Conceptually  Here  Is  What  Happens  1. User postsnew tweet 2. Twitter poststweet to Facebookon user’s behalfUser ScottTwitterFacebook
  • 15. 19        Copyright © 2013 CA. All rights reserved.This  is  the  “password  an5-­‐pa#ern”  A  Bad  First  Aempt:  Stored  Passwords  User ScottSend in FacebookPasswordTwitter usesFacebook Password
  • 16. 20        Copyright © 2013 CA. All rights reserved.OK,  So  Let’s  Try  SAML  User ScottScottauthenticatesusing his TwitterPasswordTwitter vouches itauthenticated Scott
  • 17. 21        Copyright © 2013 CA. All rights reserved.But  There  Are  Problems…  User ScottHow can we associatethese differentrepresentations of Scott?Where are the limits onwhat Twitter can do?
  • 18. 22        Copyright © 2013 CA. All rights reserved.Here’s  A  Smarter  Approach  
  • 19. 23        Copyright © 2013 CA. All rights reserved.Here’s  What  It  Looks  Like  When  We’re  Done  User ScottScottauthenticatesusing his TwitterPasswordTweet plus access tokenauthorizing Twitter to post forScottOAuth ClientOAuth Authorization &Resource Servers
  • 20. 24        Copyright © 2013 CA. All rights reserved.But  OAuth  Also  Enables  NASCAR-­‐style  Sign  On  Taken from sears.com
  • 21. 25        Copyright © 2013 CA. All rights reserved.DataLet’s  Call  This  Paern  #2:  Social  Sign-­‐On  OAuthAuthorizationServerOAuth ClientUserAuthenticateGet CodeValidate CodeGet Access Token1)3)Pass code to client2)This demonstrates:grant-type=authorization_code!!Note the user never sees the accesstoken, only the client sees it. Theuser’s session must be managedusing other means (eg: sessioncookie, etc)
  • 22. 26        Copyright © 2013 CA. All rights reserved.This  Is  Actually  A  Profound  ShiZ  In  Iden@ty  Mgmt  The Old Enterprise The New Hybrid EnterpriseThis is the secret toachieving scale andagile federation
  • 23. 27        Copyright © 2013 CA. All rights reserved.What  is  Really  Different  Here?  •  Integra@on  with  simple  RESTful  APIs  •  Very  loose  coupling  •  Very  low  ceremony  •  Very  loose  rela@onships  driven  by  caller  •  Client  to  authoriza5on  server  •  User  to  client  This all adds up to adistribution of responsibilitythat scales with no. of users
  • 24. 28        Copyright © 2013 CA. All rights reserved.Let’s  drive  home  how  this  enables  self-­‐provisioning  of  clients  &  users  Delega@on  of  Responsibility  Auth ServerClientUserAuthenticateGet CodeTBD
  • 25. 29        Copyright © 2013 CA. All rights reserved.But  We’re  Not  Quite  At  Federa@on  •  We  have  simple  Single  Sign-­‐On  •  But  what  about  aributes?  <saml:AttributeStatement> !<saml:Attribute FriendlyName="fooAttrib" Name="SFDC_USERNAME"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> !<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user101@salesforce.com </saml:AttributeValue> !</saml:Attribute> !</saml:AttributeStatement>!From: http://login.salesforce.com/help/doc/en/sso_saml_assertion_examples.htm
  • 26. 30        Copyright © 2013 CA. All rights reserved.This  Is  The  Job  Of  OpenID  Connect  OpenIDConnectEndpointOAuth ClientUserCall to UserInfoendpoint forspecific scopeJSON structuredattribute list ofclaimsEg: User’s email,First name,Last name,etc
  • 27. 31        Copyright © 2013 CA. All rights reserved.Scopes  Define  Collec@ons  of  Claims  •  Profile  –  name, family_name, given_name, middle_name, nickname,preferred_username, profile, picture, website, gender, birthdate, zoneinfo,locale, updated_at•  Email  –  email•  Address  –  address•  Phone  –  phone_number, phone_number_verified•  etc  JSON Example:!{ "sub": "248289761001", !"name": "Jane Doe", !"given_name": "Jane",!"family_name": "Doe",!"preferred_username": "j.doe”,!"email": "janedoe@example.com",!"picture": "http://example.com/janedoe/me.jpg" !}!From: http://openid.net/specs/openid-connect-basic-1_0.htmlClaims are associated with an access token
  • 28. 32        Copyright © 2013 CA. All rights reserved.But  we  s5ll  have  a  registra5on  problem  We’re  Almost  There  AuthorizationServerClientProvisioning ofnew usersThis is obviously an enterpriseproblem, not an individual problemThey may alreadyexist hereRemember our earlierpoint about whatconstitutes an “account”
  • 29. 33        Copyright © 2013 CA. All rights reserved.API  for  user  management  This  Is  The  What  SCIM  Is  For  AuthorizationServerClientCreateNewUsersSCIM defines user/groupschema and RESTendpoints for CRUDSCIM stands for:System for Cross-domain Identity ManagementEnterpriseAdministrator
  • 30. 34        Copyright © 2013 CA. All rights reserved.Secure InternalNetworkFirewallFirst,  on-­‐premise  iden5ty  stores  We’re  Now  LeZ  With  Two  Deployment  Op@ons  LeveragesExistingInfrastructureIdP
  • 31. 35        Copyright © 2013 CA. All rights reserved.Secure InternalNetworkOr  Cloud-­‐based  We’re  Now  LeZ  With  Two  Deployment  Op@ons  Identity-as-a-Service
  • 32. 36        Copyright © 2013 CA. All rights reserved.Choose  SAML  or  OAuth  based  on  opera5onal  goals  The  Deployment  Is  Independent  Authoriza@on  Technology  •  SAML  support  is  widespread  •  Dominant  for  enterprise  SSO  and  federa5on  •  Strong  in  passive  (browser)  profiles  •  Less  strong  in  ac5ve  (classic  SOAP  or  newer  RESTful  APIs)  profiles  •  Lots  of  central  administra5on  and  federa5on  ceremony  •  OAuth/OpenID  Connect  is  growing  very  fast  •  OAuth  owns  RESTful  APIs  •  The  world  is  not  just  about  browsers  any  longer  •  Think  about  rise  of  mobile  apps  •  Fast  to  integrate,  with  no  need  to  engage  par5es  •  Irresis5ble  delega5on  model  •  Poten5al  brand,  regulatory,  or  organiza5onal  issues  with  social  login      
  • 33. 37        Copyright © 2013 CA. All rights reserved.Summary  •  SAML  is  not  going  away  •  Your  exis5ng  investment  is  safe  •  It  will  con5nue  to  play  a  huge  role  in  web-­‐based  federa5on    •  But  OAuth+OpenID  Connect+SCIM  is  coming  on  very  strong  •  Driven  by  rise  of  APIs  and  mobile  devices    •  Don’t  let  anyone  tell  you  OAuth  is  just  another  auth  token  scheme  •  It  really  represents  a  shiW  in  authority  
  • 34. Ques5ons  K.  Sco  Morrison  Senior  Vice  President  &  Dis5nguished  Engineer  CA  Technologies    405-­‐1100  Melville,  Vancouver,  BC  V6E  4B5  Canada  +1  (604)  681-­‐9377  sco#@layer7.com  h#p://KSco#Morrison.com    

×