Pa#erns	  to	  Bring	  Enterprise	  and	  Social	  Iden5ty	  to	  the	  Cloud	  SVP	  and	  Dis5nguished	  Engineer	  K.	 ...
2	   	  	  	  Copyright © 2013 CA. All rights reserved.How many passwords doyou have?
3	   	  	  	  Copyright © 2013 CA. All rights reserved.The Italian Solution
4	   	  	  	  Copyright © 2013 CA. All rights reserved.Secure InternalNetworkFirewallOur	  Basic	  Problem	  
7	   	  	  	  Copyright © 2013 CA. All rights reserved.Trading PartnerSecure InternalNetworkFirewallSuppose	  We	  Recast	...
8	   	  	  	  Copyright © 2013 CA. All rights reserved.Secure InternalNetworkThis	  is	  Just	  Federa@on	  Trading Partne...
9	   	  	  	  Copyright © 2013 CA. All rights reserved.Secure InternalNetworkAdmin	  Sets	  Up	  Trust	  Rela@onship	  IdP...
11	   	  	  	  Copyright © 2013 CA. All rights reserved.Let’s	  Call	  This	  Paern	  #1:	  SAML-­‐based	  Federa5on	  IdP...
12	   	  	  	  Copyright © 2013 CA. All rights reserved.Can	  We	  Declare	  Victory?	  ü Basic Federation
13	   	  	  	  Copyright © 2013 CA. All rights reserved.What	  Does	  It	  Mean	  To	  Have	  An	  Account?	  DirectoryObj...
15	   	  	  	  Copyright © 2013 CA. All rights reserved.FirewallWhat	  We	  Really	  Have	  A	  	  Synchroniza@on	  Proble...
16	   	  	  	  Copyright © 2013 CA. All rights reserved.And	  What	  About	  Small	  Business?	  TravelsMostlyWorks fromho...
17	   	  	  	  Copyright © 2013 CA. All rights reserved.Look	  To	  Social	  Networking	  For	  Inspira@on	  
18	   	  	  	  Copyright © 2013 CA. All rights reserved.Conceptually	  Here	  Is	  What	  Happens	  1. User postsnew tweet...
19	   	  	  	  Copyright © 2013 CA. All rights reserved.This	  is	  the	  “password	  an5-­‐pa#ern”	  A	  Bad	  First	  Ae...
20	   	  	  	  Copyright © 2013 CA. All rights reserved.OK,	  So	  Let’s	  Try	  SAML	  User ScottScottauthenticatesusing ...
21	   	  	  	  Copyright © 2013 CA. All rights reserved.But	  There	  Are	  Problems…	  User ScottHow can we associatethes...
22	   	  	  	  Copyright © 2013 CA. All rights reserved.Here’s	  A	  Smarter	  Approach	  
23	   	  	  	  Copyright © 2013 CA. All rights reserved.Here’s	  What	  It	  Looks	  Like	  When	  We’re	  Done	  User Sco...
24	   	  	  	  Copyright © 2013 CA. All rights reserved.But	  OAuth	  Also	  Enables	  NASCAR-­‐style	  Sign	  On	  Taken ...
25	   	  	  	  Copyright © 2013 CA. All rights reserved.DataLet’s	  Call	  This	  Paern	  #2:	  Social	  Sign-­‐On	  OAuth...
26	   	  	  	  Copyright © 2013 CA. All rights reserved.This	  Is	  Actually	  A	  Profound	  ShiZ	  In	  Iden@ty	  Mgmt	 ...
27	   	  	  	  Copyright © 2013 CA. All rights reserved.What	  is	  Really	  Different	  Here?	  •  Integra@on	  with	  sim...
28	   	  	  	  Copyright © 2013 CA. All rights reserved.Let’s	  drive	  home	  how	  this	  enables	  self-­‐provisioning	...
29	   	  	  	  Copyright © 2013 CA. All rights reserved.But	  We’re	  Not	  Quite	  At	  Federa@on	  •  We	  have	  simple...
30	   	  	  	  Copyright © 2013 CA. All rights reserved.This	  Is	  The	  Job	  Of	  OpenID	  Connect	  OpenIDConnectEndpo...
31	   	  	  	  Copyright © 2013 CA. All rights reserved.Scopes	  Define	  Collec@ons	  of	  Claims	  •  Profile	  –  name, f...
32	   	  	  	  Copyright © 2013 CA. All rights reserved.But	  we	  s5ll	  have	  a	  registra5on	  problem	  We’re	  Almos...
33	   	  	  	  Copyright © 2013 CA. All rights reserved.API	  for	  user	  management	  This	  Is	  The	  What	  SCIM	  Is...
34	   	  	  	  Copyright © 2013 CA. All rights reserved.Secure InternalNetworkFirewallFirst,	  on-­‐premise	  iden5ty	  st...
35	   	  	  	  Copyright © 2013 CA. All rights reserved.Secure InternalNetworkOr	  Cloud-­‐based	  We’re	  Now	  LeZ	  Wit...
36	   	  	  	  Copyright © 2013 CA. All rights reserved.Choose	  SAML	  or	  OAuth	  based	  on	  opera5onal	  goals	  The...
37	   	  	  	  Copyright © 2013 CA. All rights reserved.Summary	  •  SAML	  is	  not	  going	  away	  •  Your	  exis5ng	  ...
Ques5ons	  K.	  Sco	  Morrison	  Senior	  Vice	  President	  &	  Dis5nguished	  Engineer	  CA	  Technologies	  	  405-­‐11...
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
Upcoming SlideShare
Loading in...5
×

Patterns to Bring Enterprise and Social Identity to the Cloud

597

Published on

In this session, we will look at strategies to incorporate identity into cloud applications. Enterprise
identity or social login can both be a part of your go-to-cloud strategy, but you must plan for this
upfront, rather than try to retrofit identity and access control at a later date.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
597
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
23
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Patterns to Bring Enterprise and Social Identity to the Cloud

  1. 1. Pa#erns  to  Bring  Enterprise  and  Social  Iden5ty  to  the  Cloud  SVP  and  Dis5nguished  Engineer  K.  Sco  Morrison  
  2. 2. 2        Copyright © 2013 CA. All rights reserved.How many passwords doyou have?
  3. 3. 3        Copyright © 2013 CA. All rights reserved.The Italian Solution
  4. 4. 4        Copyright © 2013 CA. All rights reserved.Secure InternalNetworkFirewallOur  Basic  Problem  
  5. 5. 7        Copyright © 2013 CA. All rights reserved.Trading PartnerSecure InternalNetworkFirewallSuppose  We  Recast  the  Problem?  
  6. 6. 8        Copyright © 2013 CA. All rights reserved.Secure InternalNetworkThis  is  Just  Federa@on  Trading PartnerIdPPrincipal
  7. 7. 9        Copyright © 2013 CA. All rights reserved.Secure InternalNetworkAdmin  Sets  Up  Trust  Rela@onship  IdPAdmin
  8. 8. 11        Copyright © 2013 CA. All rights reserved.Let’s  Call  This  Paern  #1:  SAML-­‐based  Federa5on  IdPServiceProviderMessage +SAMLPrincipalAuthenticateAcquire SAML tokenData1)2)Note that this demonstratesSAML browser POST profile.The artifact profile is harder todo through corporate firewalls
  9. 9. 12        Copyright © 2013 CA. All rights reserved.Can  We  Declare  Victory?  ü Basic Federation
  10. 10. 13        Copyright © 2013 CA. All rights reserved.What  Does  It  Mean  To  Have  An  Account?  DirectoryObjectsSome CloudServiceAppServer
  11. 11. 15        Copyright © 2013 CA. All rights reserved.FirewallWhat  We  Really  Have  A    Synchroniza@on  Problem  ObjectsIdentitiesEnterpriseDirectory
  12. 12. 16        Copyright © 2013 CA. All rights reserved.And  What  About  Small  Business?  TravelsMostlyWorks fromhomeWorks fromStarbucks
  13. 13. 17        Copyright © 2013 CA. All rights reserved.Look  To  Social  Networking  For  Inspira@on  
  14. 14. 18        Copyright © 2013 CA. All rights reserved.Conceptually  Here  Is  What  Happens  1. User postsnew tweet 2. Twitter poststweet to Facebookon user’s behalfUser ScottTwitterFacebook
  15. 15. 19        Copyright © 2013 CA. All rights reserved.This  is  the  “password  an5-­‐pa#ern”  A  Bad  First  Aempt:  Stored  Passwords  User ScottSend in FacebookPasswordTwitter usesFacebook Password
  16. 16. 20        Copyright © 2013 CA. All rights reserved.OK,  So  Let’s  Try  SAML  User ScottScottauthenticatesusing his TwitterPasswordTwitter vouches itauthenticated Scott
  17. 17. 21        Copyright © 2013 CA. All rights reserved.But  There  Are  Problems…  User ScottHow can we associatethese differentrepresentations of Scott?Where are the limits onwhat Twitter can do?
  18. 18. 22        Copyright © 2013 CA. All rights reserved.Here’s  A  Smarter  Approach  
  19. 19. 23        Copyright © 2013 CA. All rights reserved.Here’s  What  It  Looks  Like  When  We’re  Done  User ScottScottauthenticatesusing his TwitterPasswordTweet plus access tokenauthorizing Twitter to post forScottOAuth ClientOAuth Authorization &Resource Servers
  20. 20. 24        Copyright © 2013 CA. All rights reserved.But  OAuth  Also  Enables  NASCAR-­‐style  Sign  On  Taken from sears.com
  21. 21. 25        Copyright © 2013 CA. All rights reserved.DataLet’s  Call  This  Paern  #2:  Social  Sign-­‐On  OAuthAuthorizationServerOAuth ClientUserAuthenticateGet CodeValidate CodeGet Access Token1)3)Pass code to client2)This demonstrates:grant-type=authorization_code!!Note the user never sees the accesstoken, only the client sees it. Theuser’s session must be managedusing other means (eg: sessioncookie, etc)
  22. 22. 26        Copyright © 2013 CA. All rights reserved.This  Is  Actually  A  Profound  ShiZ  In  Iden@ty  Mgmt  The Old Enterprise The New Hybrid EnterpriseThis is the secret toachieving scale andagile federation
  23. 23. 27        Copyright © 2013 CA. All rights reserved.What  is  Really  Different  Here?  •  Integra@on  with  simple  RESTful  APIs  •  Very  loose  coupling  •  Very  low  ceremony  •  Very  loose  rela@onships  driven  by  caller  •  Client  to  authoriza5on  server  •  User  to  client  This all adds up to adistribution of responsibilitythat scales with no. of users
  24. 24. 28        Copyright © 2013 CA. All rights reserved.Let’s  drive  home  how  this  enables  self-­‐provisioning  of  clients  &  users  Delega@on  of  Responsibility  Auth ServerClientUserAuthenticateGet CodeTBD
  25. 25. 29        Copyright © 2013 CA. All rights reserved.But  We’re  Not  Quite  At  Federa@on  •  We  have  simple  Single  Sign-­‐On  •  But  what  about  aributes?  <saml:AttributeStatement> !<saml:Attribute FriendlyName="fooAttrib" Name="SFDC_USERNAME"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> !<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user101@salesforce.com </saml:AttributeValue> !</saml:Attribute> !</saml:AttributeStatement>!From: http://login.salesforce.com/help/doc/en/sso_saml_assertion_examples.htm
  26. 26. 30        Copyright © 2013 CA. All rights reserved.This  Is  The  Job  Of  OpenID  Connect  OpenIDConnectEndpointOAuth ClientUserCall to UserInfoendpoint forspecific scopeJSON structuredattribute list ofclaimsEg: User’s email,First name,Last name,etc
  27. 27. 31        Copyright © 2013 CA. All rights reserved.Scopes  Define  Collec@ons  of  Claims  •  Profile  –  name, family_name, given_name, middle_name, nickname,preferred_username, profile, picture, website, gender, birthdate, zoneinfo,locale, updated_at•  Email  –  email•  Address  –  address•  Phone  –  phone_number, phone_number_verified•  etc  JSON Example:!{ "sub": "248289761001", !"name": "Jane Doe", !"given_name": "Jane",!"family_name": "Doe",!"preferred_username": "j.doe”,!"email": "janedoe@example.com",!"picture": "http://example.com/janedoe/me.jpg" !}!From: http://openid.net/specs/openid-connect-basic-1_0.htmlClaims are associated with an access token
  28. 28. 32        Copyright © 2013 CA. All rights reserved.But  we  s5ll  have  a  registra5on  problem  We’re  Almost  There  AuthorizationServerClientProvisioning ofnew usersThis is obviously an enterpriseproblem, not an individual problemThey may alreadyexist hereRemember our earlierpoint about whatconstitutes an “account”
  29. 29. 33        Copyright © 2013 CA. All rights reserved.API  for  user  management  This  Is  The  What  SCIM  Is  For  AuthorizationServerClientCreateNewUsersSCIM defines user/groupschema and RESTendpoints for CRUDSCIM stands for:System for Cross-domain Identity ManagementEnterpriseAdministrator
  30. 30. 34        Copyright © 2013 CA. All rights reserved.Secure InternalNetworkFirewallFirst,  on-­‐premise  iden5ty  stores  We’re  Now  LeZ  With  Two  Deployment  Op@ons  LeveragesExistingInfrastructureIdP
  31. 31. 35        Copyright © 2013 CA. All rights reserved.Secure InternalNetworkOr  Cloud-­‐based  We’re  Now  LeZ  With  Two  Deployment  Op@ons  Identity-as-a-Service
  32. 32. 36        Copyright © 2013 CA. All rights reserved.Choose  SAML  or  OAuth  based  on  opera5onal  goals  The  Deployment  Is  Independent  Authoriza@on  Technology  •  SAML  support  is  widespread  •  Dominant  for  enterprise  SSO  and  federa5on  •  Strong  in  passive  (browser)  profiles  •  Less  strong  in  ac5ve  (classic  SOAP  or  newer  RESTful  APIs)  profiles  •  Lots  of  central  administra5on  and  federa5on  ceremony  •  OAuth/OpenID  Connect  is  growing  very  fast  •  OAuth  owns  RESTful  APIs  •  The  world  is  not  just  about  browsers  any  longer  •  Think  about  rise  of  mobile  apps  •  Fast  to  integrate,  with  no  need  to  engage  par5es  •  Irresis5ble  delega5on  model  •  Poten5al  brand,  regulatory,  or  organiza5onal  issues  with  social  login      
  33. 33. 37        Copyright © 2013 CA. All rights reserved.Summary  •  SAML  is  not  going  away  •  Your  exis5ng  investment  is  safe  •  It  will  con5nue  to  play  a  huge  role  in  web-­‐based  federa5on    •  But  OAuth+OpenID  Connect+SCIM  is  coming  on  very  strong  •  Driven  by  rise  of  APIs  and  mobile  devices    •  Don’t  let  anyone  tell  you  OAuth  is  just  another  auth  token  scheme  •  It  really  represents  a  shiW  in  authority  
  34. 34. Ques5ons  K.  Sco  Morrison  Senior  Vice  President  &  Dis5nguished  Engineer  CA  Technologies    405-­‐1100  Melville,  Vancouver,  BC  V6E  4B5  Canada  +1  (604)  681-­‐9377  sco#@layer7.com  h#p://KSco#Morrison.com    
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×