• Like

Patterns to Bring Enterprise and Social Identity to the Cloud

  • 512 views
Uploaded on

In this session, we will look at strategies to incorporate identity into cloud applications. Enterprise …

In this session, we will look at strategies to incorporate identity into cloud applications. Enterprise
identity or social login can both be a part of your go-to-cloud strategy, but you must plan for this
upfront, rather than try to retrofit identity and access control at a later date.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
512
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
21
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Pa#erns  to  Bring  Enterprise  and  Social  Iden5ty  to  the  Cloud  SVP  and  Dis5nguished  Engineer  K.  Sco  Morrison  
  • 2. 2        Copyright © 2013 CA. All rights reserved.How many passwords doyou have?
  • 3. 3        Copyright © 2013 CA. All rights reserved.The Italian Solution
  • 4. 4        Copyright © 2013 CA. All rights reserved.Secure InternalNetworkFirewallOur  Basic  Problem  
  • 5. 7        Copyright © 2013 CA. All rights reserved.Trading PartnerSecure InternalNetworkFirewallSuppose  We  Recast  the  Problem?  
  • 6. 8        Copyright © 2013 CA. All rights reserved.Secure InternalNetworkThis  is  Just  Federa@on  Trading PartnerIdPPrincipal
  • 7. 9        Copyright © 2013 CA. All rights reserved.Secure InternalNetworkAdmin  Sets  Up  Trust  Rela@onship  IdPAdmin
  • 8. 11        Copyright © 2013 CA. All rights reserved.Let’s  Call  This  Paern  #1:  SAML-­‐based  Federa5on  IdPServiceProviderMessage +SAMLPrincipalAuthenticateAcquire SAML tokenData1)2)Note that this demonstratesSAML browser POST profile.The artifact profile is harder todo through corporate firewalls
  • 9. 12        Copyright © 2013 CA. All rights reserved.Can  We  Declare  Victory?  ü Basic Federation
  • 10. 13        Copyright © 2013 CA. All rights reserved.What  Does  It  Mean  To  Have  An  Account?  DirectoryObjectsSome CloudServiceAppServer
  • 11. 15        Copyright © 2013 CA. All rights reserved.FirewallWhat  We  Really  Have  A    Synchroniza@on  Problem  ObjectsIdentitiesEnterpriseDirectory
  • 12. 16        Copyright © 2013 CA. All rights reserved.And  What  About  Small  Business?  TravelsMostlyWorks fromhomeWorks fromStarbucks
  • 13. 17        Copyright © 2013 CA. All rights reserved.Look  To  Social  Networking  For  Inspira@on  
  • 14. 18        Copyright © 2013 CA. All rights reserved.Conceptually  Here  Is  What  Happens  1. User postsnew tweet 2. Twitter poststweet to Facebookon user’s behalfUser ScottTwitterFacebook
  • 15. 19        Copyright © 2013 CA. All rights reserved.This  is  the  “password  an5-­‐pa#ern”  A  Bad  First  Aempt:  Stored  Passwords  User ScottSend in FacebookPasswordTwitter usesFacebook Password
  • 16. 20        Copyright © 2013 CA. All rights reserved.OK,  So  Let’s  Try  SAML  User ScottScottauthenticatesusing his TwitterPasswordTwitter vouches itauthenticated Scott
  • 17. 21        Copyright © 2013 CA. All rights reserved.But  There  Are  Problems…  User ScottHow can we associatethese differentrepresentations of Scott?Where are the limits onwhat Twitter can do?
  • 18. 22        Copyright © 2013 CA. All rights reserved.Here’s  A  Smarter  Approach  
  • 19. 23        Copyright © 2013 CA. All rights reserved.Here’s  What  It  Looks  Like  When  We’re  Done  User ScottScottauthenticatesusing his TwitterPasswordTweet plus access tokenauthorizing Twitter to post forScottOAuth ClientOAuth Authorization &Resource Servers
  • 20. 24        Copyright © 2013 CA. All rights reserved.But  OAuth  Also  Enables  NASCAR-­‐style  Sign  On  Taken from sears.com
  • 21. 25        Copyright © 2013 CA. All rights reserved.DataLet’s  Call  This  Paern  #2:  Social  Sign-­‐On  OAuthAuthorizationServerOAuth ClientUserAuthenticateGet CodeValidate CodeGet Access Token1)3)Pass code to client2)This demonstrates:grant-type=authorization_code!!Note the user never sees the accesstoken, only the client sees it. Theuser’s session must be managedusing other means (eg: sessioncookie, etc)
  • 22. 26        Copyright © 2013 CA. All rights reserved.This  Is  Actually  A  Profound  ShiZ  In  Iden@ty  Mgmt  The Old Enterprise The New Hybrid EnterpriseThis is the secret toachieving scale andagile federation
  • 23. 27        Copyright © 2013 CA. All rights reserved.What  is  Really  Different  Here?  •  Integra@on  with  simple  RESTful  APIs  •  Very  loose  coupling  •  Very  low  ceremony  •  Very  loose  rela@onships  driven  by  caller  •  Client  to  authoriza5on  server  •  User  to  client  This all adds up to adistribution of responsibilitythat scales with no. of users
  • 24. 28        Copyright © 2013 CA. All rights reserved.Let’s  drive  home  how  this  enables  self-­‐provisioning  of  clients  &  users  Delega@on  of  Responsibility  Auth ServerClientUserAuthenticateGet CodeTBD
  • 25. 29        Copyright © 2013 CA. All rights reserved.But  We’re  Not  Quite  At  Federa@on  •  We  have  simple  Single  Sign-­‐On  •  But  what  about  aributes?  <saml:AttributeStatement> !<saml:Attribute FriendlyName="fooAttrib" Name="SFDC_USERNAME"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> !<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user101@salesforce.com </saml:AttributeValue> !</saml:Attribute> !</saml:AttributeStatement>!From: http://login.salesforce.com/help/doc/en/sso_saml_assertion_examples.htm
  • 26. 30        Copyright © 2013 CA. All rights reserved.This  Is  The  Job  Of  OpenID  Connect  OpenIDConnectEndpointOAuth ClientUserCall to UserInfoendpoint forspecific scopeJSON structuredattribute list ofclaimsEg: User’s email,First name,Last name,etc
  • 27. 31        Copyright © 2013 CA. All rights reserved.Scopes  Define  Collec@ons  of  Claims  •  Profile  –  name, family_name, given_name, middle_name, nickname,preferred_username, profile, picture, website, gender, birthdate, zoneinfo,locale, updated_at•  Email  –  email•  Address  –  address•  Phone  –  phone_number, phone_number_verified•  etc  JSON Example:!{ "sub": "248289761001", !"name": "Jane Doe", !"given_name": "Jane",!"family_name": "Doe",!"preferred_username": "j.doe”,!"email": "janedoe@example.com",!"picture": "http://example.com/janedoe/me.jpg" !}!From: http://openid.net/specs/openid-connect-basic-1_0.htmlClaims are associated with an access token
  • 28. 32        Copyright © 2013 CA. All rights reserved.But  we  s5ll  have  a  registra5on  problem  We’re  Almost  There  AuthorizationServerClientProvisioning ofnew usersThis is obviously an enterpriseproblem, not an individual problemThey may alreadyexist hereRemember our earlierpoint about whatconstitutes an “account”
  • 29. 33        Copyright © 2013 CA. All rights reserved.API  for  user  management  This  Is  The  What  SCIM  Is  For  AuthorizationServerClientCreateNewUsersSCIM defines user/groupschema and RESTendpoints for CRUDSCIM stands for:System for Cross-domain Identity ManagementEnterpriseAdministrator
  • 30. 34        Copyright © 2013 CA. All rights reserved.Secure InternalNetworkFirewallFirst,  on-­‐premise  iden5ty  stores  We’re  Now  LeZ  With  Two  Deployment  Op@ons  LeveragesExistingInfrastructureIdP
  • 31. 35        Copyright © 2013 CA. All rights reserved.Secure InternalNetworkOr  Cloud-­‐based  We’re  Now  LeZ  With  Two  Deployment  Op@ons  Identity-as-a-Service
  • 32. 36        Copyright © 2013 CA. All rights reserved.Choose  SAML  or  OAuth  based  on  opera5onal  goals  The  Deployment  Is  Independent  Authoriza@on  Technology  •  SAML  support  is  widespread  •  Dominant  for  enterprise  SSO  and  federa5on  •  Strong  in  passive  (browser)  profiles  •  Less  strong  in  ac5ve  (classic  SOAP  or  newer  RESTful  APIs)  profiles  •  Lots  of  central  administra5on  and  federa5on  ceremony  •  OAuth/OpenID  Connect  is  growing  very  fast  •  OAuth  owns  RESTful  APIs  •  The  world  is  not  just  about  browsers  any  longer  •  Think  about  rise  of  mobile  apps  •  Fast  to  integrate,  with  no  need  to  engage  par5es  •  Irresis5ble  delega5on  model  •  Poten5al  brand,  regulatory,  or  organiza5onal  issues  with  social  login      
  • 33. 37        Copyright © 2013 CA. All rights reserved.Summary  •  SAML  is  not  going  away  •  Your  exis5ng  investment  is  safe  •  It  will  con5nue  to  play  a  huge  role  in  web-­‐based  federa5on    •  But  OAuth+OpenID  Connect+SCIM  is  coming  on  very  strong  •  Driven  by  rise  of  APIs  and  mobile  devices    •  Don’t  let  anyone  tell  you  OAuth  is  just  another  auth  token  scheme  •  It  really  represents  a  shiW  in  authority  
  • 34. Ques5ons  K.  Sco  Morrison  Senior  Vice  President  &  Dis5nguished  Engineer  CA  Technologies    405-­‐1100  Melville,  Vancouver,  BC  V6E  4B5  Canada  +1  (604)  681-­‐9377  sco#@layer7.com  h#p://KSco#Morrison.com