Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian

814 views

Published on

Centralized session management has long been a goal of Web Access Management systems: the idea that one session can give end users access to dozens of protected applications with a seamless SSO experience, and terminating it (either by the end user themselves, or by an administrator) cuts off access instantly. It’s a nice dream isn’t it? Turns out that while most WAM products claim they can do this, when deployment time comes around (especially in globally distributed organizations) serious security and scalability challenges emerge that make it unfeasible. In this “session”, come and learn our vision for deploying session management at scale and see how Ping Identity has implemented it in our Federated Access Management solution.

Published in: Technology
  • Be the first to comment

CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian

  1. 1. Session Management at Scale Scott Tomilson Jamshid (Jim) Khosravian
  2. 2. Copyright © 2015 Cloud Identity Summit. All rights reserved. 2 Session Management Web
  3. 3. •  Senior Software Developer at PingIdentity •  Software Technology Enthusiast •  Canadian Copyright © 2015 Cloud Identity Summit. All rights reserved. 3 Jamshid (Jim) Khosravian (Sorry that I say sorry so much)
  4. 4. Agenda •  PingAccess Session Management •  Session Initiation/Creation •  Session Token attributes •  Session Attributes and Timeouts •  Single Logout •  PingAccess Scalability •  Q&A Copyright © 2015 Cloud Identity Summit. All rights reserved. 4
  5. 5. Session Initiation •  PingAccess deployed in front of web apps (Proxy) •  PingAccess Agent installed on the webserver hosting web app (Agent) •  PingFederate and PingAccess interactions Copyright © 2015 Cloud Identity Summit. All rights reserved. 5
  6. 6. Proxy Copyright © 2015 Cloud Identity Summit. All rights reserved. 6 3 1 4 2 5 High-level Flow: 1) Resource requested 2) PA checks URL policy – it's a protected resource. No PA session. Redirect to PF to login user. 3) User login, PF session created / validated. 4) User redirected back to resource. PA session created. 5) PA session check – OK. 6) Request OK – forward to backend resource. 6
  7. 7. Agent Copyright © 2015 Cloud Identity Summit. All rights reserved. 7 3 1 4 2 High-level Flow: 1) Resource requested 2) PA agent forwards request to PA server 3) PA checks URL policy – it's a protected resource. No PA session. Creates Redirect to PF for Agent. Agent sends redirect back 4) User login, PF session created / validated. 5) User redirected back to resource. 6) PA agent forwards request to PA server 7) PA Checks PF Response – OK – Creates sessions – Send Response To Agent 8) PA response – OK – Access granted – Requested resource Served 6 75 8
  8. 8. Session Initiation Copyright © 2015 Cloud Identity Summit. All rights reserved. 8 •  "Varied" Session Management handled within IdP Adapters at time of authentication / SSO •  E.g.: •  HTML Form Adapter •  IWA •  WAM IK (Third-party tokens) •  Session tokens issued upon SSO & re-issued regularly to handle idle timeouts •  JWT format (signed or encrypted) •  Contain attributes required by protected apps & authn level •  Can be scoped per Application
  9. 9. Session Token •  JWT •  Signed (JWS) •  Encrypted (JWE) •  Content •  Session Attributes •  (Optional) User Attributes Copyright © 2015 Cloud Identity Summit. All rights reserved. 9
  10. 10. Session Token (cont’d) Copyright © 2015 Cloud Identity Summit. All rights reserved. 10 Received PF ID Token (Signed) PA Session Token (Signed) { "alg": "RS256", "kid": "gcs0e" }. { "sub": "joe", "aud": "PingAccessOIDC", "jti": "FfCzPyb74vu3va6RNjIBhC", "iss": "https://synapse.pingfederatelabs.com:9031", "iat": 1433128115, "exp": 1433128175, "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "nonce": "rhZvrAswWdztaPq-RQSqcSVAWdOiXkRTGeg6y_zVvW0", "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg" }. { Signature data } { "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "kid": "7", "alg": "ES256" }. { "sub": "joe”, "aud": "global", "jti": "5c68d4a7-357c-475d-8f01-02c0ddfc90ca", "iat": 1433128123, "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg", "iss": "PingAccess", "exp": 1433131723, "pingaccess_refresh_exp": 1433305544, "access_token": "9TwtEfi4fYnuQkDKUYnRivf8uHIN”, "phone_number": "+1 (425) 555-1212", "role": "sales", "address": { "street_address": "123 Main Street", "country": "USA", "formatted": "123 Main Street, Smallville, ME USA 11223", "locality": "Smallville", "region": "ME", "postal_code": "11223" } }. { Signature data }
  11. 11. Session Storage •  Client Side •  Session attributes and user attributes inside session cookie •  Server Side •  Session attributes inside session cookie •  User attributes stored on server Copyright © 2015 Cloud Identity Summit. All rights reserved. 11
  12. 12. Session Storage (cont’d) Copyright © 2015 Cloud Identity Summit. All rights reserved. 12 Session Token (Server) Session Token (Client) { "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "kid": "7", "alg": "ES256" }. { "sub": "joe”, "aud": "global", "jti": "5c68d4a7-357c-475d-8f01-02c0ddfc90ca", "iat": 1433128123, "updated_time": "2011-01-03T23:58:42+0000", "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg", "iss": "PingAccess", "exp": 1433131723, "access_token": "9TwtEfi4fYnuQkDKUYnRivf8uHIN” }. { Signature data } { "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "kid": "7", "alg": "ES256" }. { "sub": "joe”, "aud": "global", "jti": "5c68d4a7-357c-475d-8f01-02c0ddfc90ca", "iat": 1433128123, "updated_time": "2011-01-03T23:58:42+0000", "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg", "iss": "PingAccess", "exp": 1433131723, "access_token": "9TwtEfi4fYnuQkDKUYnRivf8uHIN”, "pingac`cess_refresh_exp": 1433305544, "phone_number": "+1 (425) 555-1212", "role": "sales", "address": { "street_address": "123 Main Street", "country": "USA", "formatted": "123 Main Street, Smallville, ME USA 11223", "locality": "Smallville", "postal_code": "11223" } }. { Signature data }
  13. 13. Session Status check and refresh •  Going back a couple of days … WHAT IF … Copyright © 2015 Cloud Identity Summit. All rights reserved. 13 WHAT IF THE RIGHT IDENTITY BECOMES A BAD ACTOR? WHAT IF IDENTITY IS TOO WEAK & TOO DISCONNECTED TO PROTECT US AT SCALE?
  14. 14. Session Status check and refresh •  PingFederate Session Reference ID validation •  pi.sri session attribute •  PingFederate Session State Cache (seconds) •  PingAccess User Attribute Refresh •  pingaccess_refresh_exp •  Refresh User Attributes Interval (seconds) Copyright © 2015 Cloud Identity Summit. All rights reserved. 14
  15. 15. Session Timeout •  Idle Timeout (Minutes) default 60 minutes •  Max Timeout (Minutes) default 240 minutes Copyright © 2015 Cloud Identity Summit. All rights reserved. 15 JWT Attribute Description "iat": 1433128123 JWT Creation timestamp, will NOT change on reissue "exp": 1433131723 JWT Expiry timestamp, will change on reissue
  16. 16. OpenID Connect Based Single Logout •  Simple Logout (/pa/oidc/logout) •  Single Logout •  PF Config •  Track User Sessions for Logout (AS setting) •  Revoke User Session on Logout (Client Settings) •  PingAccess Logout Capable (Client Settings) •  https://<PF-BASE>/idp/startSLO.ping Copyright © 2015 Cloud Identity Summit. All rights reserved. 16
  17. 17. PingAccess Scalability •  Stateless Engine Nodes •  Load balancing and fail over for protecting sites •  Simple Engine Node Deployment •  Token Mediation Copyright © 2015 Cloud Identity Summit. All rights reserved. 17
  18. 18. Stateless Engine nodes •  How much? •  Temporary Token Cache •  (Optional) User Attributes •  Self-contained Session Token •  No State Sharing needed •  No Shared database needed •  Missing data is calculated or fetched from PF Copyright © 2015 Cloud Identity Summit. All rights reserved. 18
  19. 19. Load balancing and fail over for sites •  Proxy deployment •  Load balance requests to multiple instances of target site •  Fail over strategy for target sites •  (Coming soon) implement custom Load Balancing strategies Copyright © 2015 Cloud Identity Summit. All rights reserved. 19
  20. 20. Simple Engine Node Deployment •  Mostly environment setup •  Engine: •  Install JDK and PingAccess •  Modify one Line in run.properties •  Agent •  Install agent on web server of choice •  Create Agent/Engine config file from admin console, copy to the target server. Copyright © 2015 Cloud Identity Summit. All rights reserved. 20
  21. 21. Token Mediation •  Token Exchange Using WS-TRUST •  Server: PingFederate •  Input: PA Session Token •  Output: Tokens Supported by PF (WAM, OpenToken, etc) •  Get a session token specific to a target site. Copyright © 2015 Cloud Identity Summit. All rights reserved. 21
  22. 22. Copyright © 2015 Cloud Identity Summit. All rights reserved. 22 Thank you Q&A

×