4. Consumer Identity
• Huge scale and potential rapid growth
• FB >1.3B active users
• Instagram 150M active users in less than 3 years
• Self managed identity
• Simple namespace
• Identity won’t drive adoption, but could hamper it
• Must deal with recovery & credential management
5. Enterprise Identity
• Centrally managed/controlled
• Role based entitlements & authorization
• Demand more complex security policies
• Federation is very high priority
• Namespace complexity
• Multiple identifiers
• Account/tenant validation could be tricky
• Join/Split
6. Mix of Consumer & Enterprise
• How does transfer of control pan out
• Consumer -> enterprise
• Enterprise -> consumer (?)
• Who owns data associated with the identity?
• Namespace is even more complex
• Account recovery
• Multiple identifiers
• …
14. What is SCIM?
• Simple Cloud Identity Management è System for Cross domain Identity
Management
• Set of pre-defined schema – Users & Groups
• RESTful API definition
• CRUD
• Bulk operations
• Search
• Discovery
• Extension semantics (limited in 1.x)
• Support for complex data models
• SIMPLE!!!
15. Schema
• Rich information model
• XML & JSON data models
• Concrete artifacts
• Users & Groups
• Usage semantics
• MTI & recommended
• Extensibility
• Enterprise User
Resource
Core ResourceServiceProviderConfig Schema
id,$meta
GroupUser
Enterprise User
externalId
19. SAML
• Security Assertion Markup Language
• XML Based protocol
• Oasis standard, 2.0 2005
• Most common enterprise federation
• SP or IdP initiated flows
• Web Browser SSO is most common
IdP
Service
Provider
Trust
User
Service,
Request
Authen2ca2on
22. What is OAuth?
• A token based service for authorization to resources
• IETF standard – RFC6749, RFC6750
• Typically has a RESTful binding, always HTTP
• Removes passwords from resource access
• Separate token issuance from resources
• Supports multiple flows to obtain access tokens
• OAuth is not an authentication service
23. OAuth Example – 1st Time Access
AuthoriZation
Trust
Web Browser
AutheNtication
Resource
Web App 1. I need the
authorization to change
Homer’s avatar
2. Is this really
Homer?
5. It is
Homer
8. You may change
Homer’s preferences
(access token)
6. Homer, you
cool with this?7. Yep!
9. I need to change Homer’s
avatar (access token)
3. Please enter your username
and password
10. Is access
authorized?
4. HomerJS
1234
11. Access is
authorized
24. OAuth Example – 2nd, 3rd, 4th… Times
AuthoriZation
Trust
Web Browser
AutheNtication
Resource
Web App 2. Is access
authorized?
3. Access is
authorized
1. I need to change
Homer’s avatar (access
token)
25. OpenID Connect
• Nothing to do with OpenID!
• Based on OAuth2
• Adds Identity token, session management, UserInfo
endpoint, …
• Rapidly being adopted
• Will likely replace SAML