Brian Campbell
CIS Napa
July 2013
@__b_cbackground and layout of slides specially designed for
@lpeterman & @NishantK
http://flic.kr/s/aHsjziVAwV
http://flic.kr/s/aHsjAP3nKo
SAML
is DEAD!
* http://www.linkedin.com/in/burtonian
SAML
@craigburton
WTF “SAML is dead”?
I‟ve got a mortgage to
pay…
*Disclaimer: I work with these guys at Ping
But I just
started this
job!
@...
*http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/
* @dak3
• OpenID Connect
• simple JSON/REST-based interoperable identity protocol built on top of the OAuth
2.0 family of specific...
May, 2010:
Conceptual
Debut of
Connect
time elapses
February,
2012: 1st
Implementer‟s
Drafts
March 2012 time elapses
May, ...
*I did actually
receive permission
to use this photo
@JasonABonds
Client
Resource
Server
Authorization
Server
Authorization
Endpoint
Token
Endpoint
Important Stuff
Where the
magic
happens
Discovery
Client
Relying Party
Resource
Server
Authorization
Server
Identity Provider or
IDP or
OpenID Provider or
OP
Auth...
The JWT
eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKIm
V4cCI6MTM1NzI1NTc4OCwKImF1ZC...
eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHB...
* http://www.google.com/about/appsecurity/hall-of-fame/reward/
JWT/JWS Header
{"kid":"5",
"alg":"ES256"}
{"keys":[
{"kty":"EC",
"kid":"4",
"x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMl...
Brian Campbell
CIS Napa
July 2013
@__b_c
SAML
Any Questions?
Brian Campbell
CIS Napa
July 2013
@__b_c
Hope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity Standards
Upcoming SlideShare
Loading in …5
×

Hope or Hype: A Look at the Next Generation of Identity Standards

1,700 views

Published on

OpenID Connect, OAuth, JOSE and JWT may be the new kids on the block, but many experts and visionaries have already anointed them to replace SAML. Is the wheel being needlessly reinvented or is genuine progress on the horizon?

Brian Campbell, Portfolio Architect, Ping Identity

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,700
On SlideShare
0
From Embeds
0
Number of Embeds
145
Actions
Shares
0
Downloads
21
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Last year in Vail, CO…
  • I wrote some SAML code 2 weeks ago"at the end of the day, if you want to talk to me, you need to talk SAML” - a Fortune 100 financial services organization
  • Lots of hype
  • My first look in March 2012Too big & unwieldy. Too much duplication.A review takes days. Inconsistencies arise.Long and drawn out process. Drafts spanning 4 WGs and 2 standards bodies.Attention of various participants comes and goes. Number of day to day participants isn’t huge. These 3 accepting the award.No HTTP POST.No IDP init until very recently (and maybe hasn’t been well vetted).
  • Often asked What makes Connect Better than SAML? Why would you chose one over the other? Struggled to answer.
  • Despite all that, there are some things that really I’m encouraged by. An opportunity to do some things better.
  • A year later…
  • Fighting the password sharing anti-patternGet a token, use a token
  • “a simple identity layer on top of the OAuth 2.0 protocol”
  • Talk though example: claims then header (dot concatenated base64url segments)Can also be OAuth access tokens (among other things)JWT & JWS are some of the underpinnings of connectThere’s also JWE -> Header.EncryptedKey.InitializationVector.Ciphertext.AuthenticationTag (Authenticated Encryption only, which is nice)
  • TheJWT from previous slide alongside a roughlycomparable SAML Assertion (which usually still needs to be encoded and or wrapped in a Response)
  • (among others) Brad Hill shown @ CIS2011 is smaht
  • Basically bare keys in JSON Can be-published at an HTTPS endpoint-saved in a file, sent in an email-used in place of self signed certificatesThe kid field/header can be the linkPotential for well defined and interoperable key roll over (I even wrote this into connect)
  • Hope or Hype: A Look at the Next Generation of Identity Standards

    1. 1. Brian Campbell CIS Napa July 2013 @__b_cbackground and layout of slides specially designed for @lpeterman & @NishantK
    2. 2. http://flic.kr/s/aHsjziVAwV
    3. 3. http://flic.kr/s/aHsjAP3nKo
    4. 4. SAML is DEAD! * http://www.linkedin.com/in/burtonian SAML @craigburton
    5. 5. WTF “SAML is dead”? I‟ve got a mortgage to pay… *Disclaimer: I work with these guys at Ping But I just started this job! @paulmadsen @ian13550
    6. 6. *http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/ * @dak3
    7. 7. • OpenID Connect • simple JSON/REST-based interoperable identity protocol built on top of the OAuth 2.0 family of specifications. • design philosophy: “make simple things simple and make complicated things possible.” • Wins 2012 European Identity and Cloud Award • “OpenID Connect the award[ed] Best Innovation/New Standard this year. What‟s most impressive is that this elegantly simple design resulted from the cooperation of such a diverse global set of contributors. I expect OpenID Connect to have a substantial positive impact on usable, secure identity solutions both for traditional computing platforms and mobile devices. My congratulations to the OpenID Foundation!” - Dave Kearns • “spurs global economic growth by enabling simple and secure exchange of verified attributes from multiple sources at Internet scale.” http://openid.net/2012/04/18/openid-connect-wins-2012-european-identity-and-cloud-award/
    8. 8. May, 2010: Conceptual Debut of Connect time elapses February, 2012: 1st Implementer‟s Drafts March 2012 time elapses May, 2013: 2nd Implementer‟s Drafts …? https://twitter.com/__b_c/status/181884679513833473 three nerds holding a blurry piece of paper... *Disclaimer: this guy also „works‟ for Ping And I know these guys reasonably well from various initiatives http://www.thread-safe.com/2012/04/openid-connect-wins-2012-european.html “The OpenID Connect specifications are expected to be completed in the second half of 2012.” @selfissued @_nat_en @ve7jtb
    9. 9. *I did actually receive permission to use this photo @JasonABonds
    10. 10. Client Resource Server Authorization Server Authorization Endpoint Token Endpoint Important Stuff Where the magic happens
    11. 11. Discovery Client Relying Party Resource Server Authorization Server Identity Provider or IDP or OpenID Provider or OP Authorization Endpoint Token Endpoint Important Stuff Userinfo Endpoint Registration Endpoint JWKS Endpoint JWKS Endpoint Validate (JWT) ID Token /.well-known /webfinger /openid-configuration Check Session IFrame End Session Endpoint
    12. 12. The JWT eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKIm V4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZ VMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0 SvfykKWK_yK4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg The Header {"kid":"5","alg":"ES256"} The Payload {"iss":"https://idp.example.com", "exp":1357255788, "aud":"https://sp.example.org", "jti":"tmYvYVU2x8LvN72B5Q_EacH._5A", "acr":"2", "sub":"Brian"} The Signature [computery junk]
    13. 13. eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC 5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK 4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg <Assertion Version="2.0" IssueInstant="2013-01-03T23:34:38.546Z” ID="oPm.DxOqT3ZZi83IwuVr3x83xlr" xmlns="urn:oasis:names:tc:SAML:2.0:assertion” xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <Issuer>https://idp.example.com</Issuer> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> <ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Brian</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2013-01-03T23:39:38.552Z" Recipient="https://sp.example.org"/> </SubjectConfirmation> </Subject> <Conditions NotOnOrAfter="2013-01-03T23:39:38.552Z" NotBefore="2013-01-03T23:29:38.552Z"> <AudienceRestriction> <Audience>https://sp.example.org</Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2013-01-03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr"> <AuthnContext> <AuthnContextClassRef>2</AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion>
    14. 14. * http://www.google.com/about/appsecurity/hall-of-fame/reward/
    15. 15. JWT/JWS Header {"kid":"5", "alg":"ES256"} {"keys":[ {"kty":"EC", "kid":"4", "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A", "crv":"P-256"}, {"kty":"EC", "kid":"5", "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", "crv":"P-256"}, {"kty":"EC", "kid":"6", "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00", "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU", "crv":"P-256"} ]}
    16. 16. Brian Campbell CIS Napa July 2013 @__b_c
    17. 17. SAML Any Questions? Brian Campbell CIS Napa July 2013 @__b_c

    ×