SlideShare a Scribd company logo

IdP, SAML, OAuth

Download as PPTX, PDF
Dan Brinkmann
Dan Brinkmann

IdP, SAML, OAuth are new acronyms for identity in the cloud. SAML is used for federated authentication between an identity provider (IdP) like Active Directory and a service provider (SP) like Office 365. The IdP authenticates the user and sends a SAML token with claims to the SP. OAuth streamlines authentication for mobile by issuing short-lived access tokens instead of passing full credentials or SAML assertions between each service. It allows authorization without passwords and tokens can be revoked, reducing risks of compromised apps. Office 365 uses Azure Active Directory as an IdP with SAML or OAuth to authenticate users from an on-premises Active Directory via federation or synchronization.

Technology
1 of 86
IdP, SAML, OAuth New Acronyms for a Cloud World Dan Brinkmann @dbrinkmann
About Me WhatWouldDanDo.com @dbrinkmann BriForum 2011, 2012, 2013, 2014 Citrix Synergy 2012, 2013, 2014 Former VMware vExpert
I am not an identity expert
Agenda Definitions The Problem Identity & Service Providers Office 365 Federation example OAuth
Definitions
Authentication Verifying Identity Authentication (AuthN) - Verifies who you are • Username/password • 2FA / strong authentication • Certificates Enterprise: Username / Password Consumer: Drivers license
Authentication Verifying Identity Authentication (AuthN) - Verifies who you are • Username/password • 2FA / strong authentication • Certificates Enterprise: Username / Password Consumer: Drivers license Massively broken
Authorization Possession is 9/10ths of ownership Authorization (AuthZ) - What you are able to do
Authorization Start car, lock doors, deny trunk Valet key
Definition of Terms SAML • Security Assertion Markup Language Oauth • Open standard for authorization Federation • You’ve authenticated to a different system than the one you’re tyring to access and your identity has been proven by a 3rd party and on that basis you’re being allowed to this system
History SAML • 1.0 - 2002 • 1.1 - 2003 • 2.0 - 2005 (not backwards compatible with 1.x) OAuth • 1.0 - 2010 • 2.0 - 2012 (not backwards compatible with 1.0)
The Problem Why does federation exist?
Genesis u: bob p: password1 u: bob1 p: logmein u: bobby p: 123
Along came Active Directory u: bobjones p: ComplexP1!
And then came SaaS / Cloud apps
Why not use Active Directory?
Why not use Active Directory? Bad admin >>passwords.txt
Why not use Active Directory? No Trust Bad admin >>passwords.txt
IdP / SP Architecture SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust Claims LDAP Signed Active Directory
Common IdP’s Ping Identity PingFederate CA SiteMinder Microsoft ADFS Shibboleth Okta
Microsoft ADFS ADFS 1.0 - Part of Windows 2003 R2 ADFS 1.1 - Part of Windows 2008 and R2 (Installed as Role from Server Mgr) Used SAML 1.x so forget about these
Microsoft ADFS ADFS 2.0 - Released after Windows 2008 R2 as a standalone download ADFS 2.1 - Part of Windows Server 2012 and installed as a Role ADFS 3.0 - Part of Windows Server 2012 R2 and installed as a Role Service ADFS 2.x rely on IIS ADFS 3.x is built on http.sys (IIS is not installed or needed)
IdP / SP Architecture Trust / Configuration
IdP / SP Architecture How is trust established? SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust LDAP Active Directory
IDP Configuration: Metadata https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml
IDP trusts Service Provider: Relying Party ID When a user requests claims from this Federation Service for the relying party, the relying party identifier will be used to identify the relying party for which the claims should be targeted Translate: Match incoming SP request to IdP Relying Party Trust configuration
IDP trusts Service Provider: Signature SAML request from the Service Provider is signed Not always used
Service Provider trusts IDP: Token-signing certificate
IdP / SP Architecture Authentication
IdP / SP Architecture Authentication (AuthN) SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust LDAP Active Directory
ADFS Authentication ADFS Proxy ADFS Server Enterprise LDAP Active Directory ADFS Proxy - 2.x Web Application Proxy - 3.x
ADFS Authentication Basic Authentication • Username & password sent in clear text over network • You should always use SSL/TLS Windows Integrated (IWA) • Kerberos, NTLMSSP • Can work silently / background
ADFS Authentication Forms • Webpage • 2FA • Works with virtually any device X509 / Client Certificates
ADFS Authentication Matrix ADFS 2.x ADFS 2.x Proxy ADFS 3.x Web Application Proxy Basic Auth Windows Integrated Forms X509 / Client Cert
Manipulating Authentication Priority
IdP / SP Architecture Claims
IdP / SP Architecture Claims SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust Claims LDAP Signed Active Directory
Claims SAML assertions contain claims Attribute claims contain information about the user (email address) Transformations can convert / modify data before creating the claim
Example SAML Token With a lot trimmed out <samlp:Response ID="_97c40e4a-d04e-409d-8ecc-1a2728f87873" Version="2.0" IssueInstant="2013-01-21T17:50:41.470Z" Destination="https://onprem.sharefile.com/saml/acs" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_ef94eec3026e4b49b86d6d162a3def59" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.sharefiletest.com/adfs/services/trust</Issuer><samlp:Status><samlp:Status Code Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="_f1ad9c25-5632-414e-9b9c-e80d08c1f3ca" IssueInstant="2013-01-21T17:50:41.470Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>http://adfs.sharefiletest.com/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc- c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ds:Reference URI="#_f1ad9c25-5632-414e- 9b9c-e80d08c1f3ca"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><ds:DigestValue>KXdq8sGKJoFSBSB9YkF9LN7/8Ik=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>aUaw…dzA==</ds:Sig natureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC…KOw==</ds:X509Certificate></ds:X509Data></KeyInfo> </ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format: emailAddress">dan.brinkmann@citrix.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_ef94eec3026e4b49b86d6d162a3def59" NotOnOrAfter="2013-01-21T17:55:41.470Z" Recipient="https://onprem.sharefile.com/saml/acs" /></SubjectConfirmation></Subject><Conditions NotBefore="2013-01-21T17:50:41.467Z" NotOnOrAfter="2013-01- 21T18:50:41.467Z"><AudienceRestriction><Audience>http://onprem.sharefile.com/saml/info</Audience></AudienceRestriction></Conditions ><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"><AttributeValue>juliano.maldaner@citrix.com</AttributeValue></Attr ibute></AttributeStatement><AuthnStatement AuthnInstant="2013-01-21T17:50:41.429Z" SessionIndex="_f1ad9c25-5632-414e-9b9c-e80d08c1f3ca">< AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></Auth nStatement></Assertion></samlp:Response>
SAML Assertion <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format: emailAddress”>dan.brinkmann@citrix.com</NameID>... Attribute Store (Active Directory) Rule Transform Claims
Create a Claim Rule Claims
IdP / SP Architecture What does a SP do with the claim? Verify trust information (cert) Match claim against an user object in its database/directory This database usually needs to be pre-populated although it is possible to use the assertion / claims to do this SaaS Solution Service Provider (SP) Claims Signed
IdP / SP Architecture Claims SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust Claims LDAP Signed Active Directory Populate with accounts
IDP / SP Sign-on Flow
IdP / SP Architecture SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust Claims LDAP Signed Active Directory
SAML: IDP-Initiated Sign-On Identity Provider (IDP) Service Provider (SP) Go to SaaS-App.com 302 + Claims https://account.Saas-App.com/saml/acs + Claims
SAML: SP-Initiated Sign-On (Passive) Identity Provider (IDP) Service Provider (SP) https://account.SaaS-App.com/saml/login 302 + Request ../adfs/ls + Request 401(Auth Challenge) ../adfs/ls + R e q u e s t + 302 + Claims https://account.SaaS-App.com/saml/acs + Claims
Troubleshooting IdP / SP federation issues
Common IdP Issues 1. Attribute claim doesn’t match up 2. Certificate is incorrect 3. IdP time is out of whack (5 minute tolerance)
How to debug SAML Fiddler Google Chrome Developer Tools Internet Explorer Developer Tools Firefox Firebug SAML debugger https://fed-lab.org
https://fed-lab.org
SAML Token <saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims"> <saml:AttributeValue>?????</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Federation/2008/05” >
Service Provider trusts IDP: Token-signing certificate
Demo 56
How to handle IDP Errors:
Further information on IDP logs… Bad Signature Bad Identifier
Authentication Issues One common issue using Integrated (prompt comes up but auth always fails)
Office 365 Federation Example
Office 365 & Azure Active Directory Services Identity Provider (IDP) Service Provider (SP) Azure Active Directory Local Active Directory Claims
Office 365 & Azure Active Directory Services Identity Provider (IDP) Service Provider (SP) Azure Active Directory Local Active Directory
Office 365 & Azure Active Directory Services Identity Provider (IDP) Service Provider (SP) Azure Active Directory Local Active Directory
DirSync DirSync populates Azure Active Directory with user accounts and groups from a local Active Directory http://blogs.office.com/2014/04/15/synchronizing-your-directory-with-office-365-is-easy/
DirSync Configuration
Office 365 & Azure Active Directory Services Identity Provider (IDP) Service Provider (SP) Azure Active Directory Local Active Directory
Enabling Federation Install Azure Active Directory Powershell module Run Powershell commands • $cred=Get-Credential • Connect-MsolService –Credential $cred • Convert-MsolDomainToFederated –DomainName <domain>
Office 365 Federated Login login.microsoftonline.com
Office 365 Federated Login danbrinkmann.com is a Federated
Office 365 Federated Login After typing the username it automatically redirect to my IdP
Office 365 Federated Login Login to ADFS 3.0 (Windows 2012 R2) ADFS server then redirects to: https://login.microsoftonline.com/login.srf
Office 365 Federated Login <saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims"> <saml:AttributeValue>dbrinkmann@danbrinkmann.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Federation/2008/05” >
Office 365 Federated Login Authorization succeeds, account is matched to O365 mail account
Problem Solved? How many times would you want to do this on a mobile device? SAML / WS-Federation is a heavy process 2-factor authentication is a common enterprise IdP implementation Cumbersome to end users
Problem Solved? How can we streamline AuthN? Cache password on mobile device • What about 2FA? • Apps get complete access to a users account • Users can’t revoke access to an app / device except by changing their password • Compromised apps expose the user’s password • Remember WebDav?
Enter OAuth AuthZ Authorization (AuthZ) without passwords Tokens can be revoked Tokens can be scoped Tokens can be time-limited Lightweight
Example OAuth Token {"expires_in”:28800,"token_type":"bearer","apicp":"sharefile.com", "access_files_folders":true,"change_my_settings":true,"admin_users” :true,"expires_at_unix":"1,405,816,443.33826","refresh_token":"m5r U7aWB….","subdomain":"danbrinkmann","modify_files_folders":true, "web_app_login":true,"admin_accounts":true,"appcp":"sharefile.com", "access_token":"m5rU7aWB….."}
OAuth vs SAML Token And I even trimmed out the signing certificate of the SAML Token {"expires_in”28800,"token_type":"beare r","apicp":"sharefile.com”,"access_fil es_folders":true,"change_my_settings": true,"admin_users”:true,"expires_at_un ix":"1,405,816,443.33826","refresh_tok en":"m5rU7aWB….","subdomain":"danbrink mann","modify_files_folders":true,"web _app_login":true,"admin_accounts":true ,"appcp":"sharefile.com”,"access_token ":"m5rU7aWB….."} <samlp:Response ID="_97c40e4a-d04e-409d-8ecc-1a2728f87873" Version="2.0" IssueInstant="2013- 01-21T17:50:41.470Z" Destination="https://onprem.sharefile.com/saml/acs" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_ef94eec3026e4b49b86d6d162a3def59" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.sharefiletest.com/adfs/services/trus t</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="_f1ad9c25-5632-414e-9b9c-e80d08c1f3ca" IssueInstant="2013-01- 21T17:50:41.470Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>http://adfs.sharefiletest.com/adfs/servi ces/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ds:Reference URI="#_f1ad9c25-5632- 414e-9b9c-e80d08c1f3ca"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><ds:DigestValue>KXdq8sGKJoFSBSB9YkF9LN7/8Ik=</ds:DigestValue></ds:Reference></ds:SignedInfo> <ds:SignatureValue>aUaw…dzA==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC…KOw==</ds:X50 9Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format: emailAddress">juliano.maldaner@citrix.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_ef94eec3026e4b49b86d6d162a3def59" NotOnOrAfter="2013-01-21T17:55:41.470Z" Recipient="https://onprem.sharefile.com/saml/acs" /></SubjectConfirmation></Subject><Conditions NotBefore="2013-01-21T17:50:41.467Z" NotOnOrAfter="2013-01- 21T18:50:41.467Z"><AudienceRestriction><Audience>http://onprem.sharefile.com/saml/info</Audien ce></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"><AttributeValue>juliano.malda ner@citrix.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2013-01-21T17:50:41.429Z" SessionIndex="_f1ad9c25-5632-414e-9b9c-e80d08c1f3ca">< AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</Authn ContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
OAuth in Consumer Lives Creating a separate username / password not required
OAuth in Consumer Lives Scoped Access
OAuth in Consumer Lives The irony of this slide
How OAuth is used in Enterprise Apps Instead of AuthN each time use AuthZ Protect mobile application using PIN / Passcode
Mobile App Solution Authenticate via IdP (FTU) Exchange SAML Token for OAuth Token Use OAuth Access Token to access the application
Mobile App Solution If the Access Token fails get a new one using the Refresh Token If the Refresh Token fails then prompt user to re-authenticate Re-authenticate via IdP
Summary Federation necessary for next-generation & mobile applications Authentication (AuthN) Authorization (AuthZ) SAML OAuth
IdP, SAML, OAuth

Recommended

Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerShiu-Fun Poon
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
OAuth
OAuthOAuth
OAuthIván Fernández Perea
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 

Recommended

Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerShiu-Fun Poon
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
OAuth
OAuthOAuth
OAuthIván Fernández Perea
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101Mike Schwartz
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
User Management Life Cycle with Keycloak
User Management Life Cycle with KeycloakUser Management Life Cycle with Keycloak
User Management Life Cycle with KeycloakMuhammad Edwin
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-OnRavi Yasas
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
SSO introduction
SSO introductionSSO introduction
SSO introductionAidy Tificate
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakRed Hat Developers
 
Spring Boot on Amazon Web Services with Spring Cloud AWS
Spring Boot on Amazon Web Services with Spring Cloud AWSSpring Boot on Amazon Web Services with Spring Cloud AWS
Spring Boot on Amazon Web Services with Spring Cloud AWSVMware Tanzu
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap ProtocolGlen Plantz
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developersPatrick Savalle
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63
MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63
MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63Angel Alberici
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application SecurityMarketingArrowECS_CZ
 
Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudMaarten Balliauw
 
Azure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAzure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAnthony Clendenen
 

More Related Content

What's hot

OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
User Management Life Cycle with Keycloak
User Management Life Cycle with KeycloakUser Management Life Cycle with Keycloak
User Management Life Cycle with KeycloakMuhammad Edwin
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-OnRavi Yasas
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakRed Hat Developers
 
Spring Boot on Amazon Web Services with Spring Cloud AWS
Spring Boot on Amazon Web Services with Spring Cloud AWSSpring Boot on Amazon Web Services with Spring Cloud AWS
Spring Boot on Amazon Web Services with Spring Cloud AWSVMware Tanzu
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap ProtocolGlen Plantz
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developersPatrick Savalle
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63
MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63
MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63Angel Alberici
 

What's hot (20)

OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
 
User Management Life Cycle with Keycloak
User Management Life Cycle with KeycloakUser Management Life Cycle with Keycloak
User Management Life Cycle with Keycloak
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
 
Spring Boot on Amazon Web Services with Spring Cloud AWS
Spring Boot on Amazon Web Services with Spring Cloud AWSSpring Boot on Amazon Web Services with Spring Cloud AWS
Spring Boot on Amazon Web Services with Spring Cloud AWS
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap Protocol
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developers
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63
MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63
MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application Security
 

Similar to IdP, SAML, OAuth

Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudMaarten Balliauw
 
Azure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAzure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAnthony Clendenen
 
Single Sign On using ADFS.pptx
Single Sign On using ADFS.pptxSingle Sign On using ADFS.pptx
Single Sign On using ADFS.pptxAlireza Vafi
 
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010Michael Noel
 
O365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followO365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followNCCOMMS
 
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13Gus Fraser
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...NCCOMMS
 
A Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnA Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnGabriella Davis
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTIONIAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTIONForgeRock
 
Planning Extranet Environments with SharePoint 2010
Planning Extranet Environments with SharePoint 2010Planning Extranet Environments with SharePoint 2010
Planning Extranet Environments with SharePoint 2010Michael Noel
 
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITProceed
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSOHuy Pham
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSOkurtvm
 
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?Scott Hoag
 
Office 365 MCSA TechEd
Office 365 MCSA TechEdOffice 365 MCSA TechEd
Office 365 MCSA TechEdRobert Gabos
 
70 346 Managing office 365 identities
70 346 Managing office 365 identities70 346 Managing office 365 identities
70 346 Managing office 365 identitiesclounoud
 
Develop iOS and Android apps with SharePoint/Office 365
Develop iOS and Android apps with SharePoint/Office 365Develop iOS and Android apps with SharePoint/Office 365
Develop iOS and Android apps with SharePoint/Office 365Kashif Imran
 

Similar to IdP, SAML, OAuth (20)

Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloud
 
Azure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAzure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD Deployment
 
Single Sign On using ADFS.pptx
Single Sign On using ADFS.pptxSingle Sign On using ADFS.pptx
Single Sign On using ADFS.pptx
 
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
 
O365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followO365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to follow
 
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
 
Office 365 identity
Office 365 identityOffice 365 identity
Office 365 identity
 
A Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnA Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign On
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your Enterprise
 
Andy Malone - The new office 365 for it pro's
Andy Malone - The new office 365 for it pro'sAndy Malone - The new office 365 for it pro's
Andy Malone - The new office 365 for it pro's
 
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTIONIAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION
 
Planning Extranet Environments with SharePoint 2010
Planning Extranet Environments with SharePoint 2010Planning Extranet Environments with SharePoint 2010
Planning Extranet Environments with SharePoint 2010
 
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSO
 
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
 
Office 365 MCSA TechEd
Office 365 MCSA TechEdOffice 365 MCSA TechEd
Office 365 MCSA TechEd
 
70 346 Managing office 365 identities
70 346 Managing office 365 identities70 346 Managing office 365 identities
70 346 Managing office 365 identities
 
Develop iOS and Android apps with SharePoint/Office 365
Develop iOS and Android apps with SharePoint/Office 365Develop iOS and Android apps with SharePoint/Office 365
Develop iOS and Android apps with SharePoint/Office 365
 

More from Dan Brinkmann

Briforum 2011 Chicago
Briforum 2011 ChicagoBriforum 2011 Chicago
Briforum 2011 ChicagoDan Brinkmann
 
Citrix Remote Access Solution Soup
Citrix Remote Access Solution SoupCitrix Remote Access Solution Soup
Citrix Remote Access Solution SoupDan Brinkmann
 
Denver VMUG nov 2011
Denver VMUG nov 2011Denver VMUG nov 2011
Denver VMUG nov 2011Dan Brinkmann
 
VMware vSphere Performance Troubleshooting
VMware vSphere Performance TroubleshootingVMware vSphere Performance Troubleshooting
VMware vSphere Performance TroubleshootingDan Brinkmann
 

More from Dan Brinkmann (7)

Briforum 2011 Chicago
Briforum 2011 ChicagoBriforum 2011 Chicago
Briforum 2011 Chicago
 
The Tools I Use
The Tools I UseThe Tools I Use
The Tools I Use
 
VDI Design Guide
VDI Design GuideVDI Design Guide
VDI Design Guide
 
How to Fail at VDI
How to Fail at VDIHow to Fail at VDI
How to Fail at VDI
 
Citrix Remote Access Solution Soup
Citrix Remote Access Solution SoupCitrix Remote Access Solution Soup
Citrix Remote Access Solution Soup
 
Denver VMUG nov 2011
Denver VMUG nov 2011Denver VMUG nov 2011
Denver VMUG nov 2011
 
VMware vSphere Performance Troubleshooting
VMware vSphere Performance TroubleshootingVMware vSphere Performance Troubleshooting
VMware vSphere Performance Troubleshooting
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 

IdP, SAML, OAuth

  • 1. IdP, SAML, OAuth New Acronyms for a Cloud World Dan Brinkmann @dbrinkmann
  • 2. About Me WhatWouldDanDo.com @dbrinkmann BriForum 2011, 2012, 2013, 2014 Citrix Synergy 2012, 2013, 2014 Former VMware vExpert
  • 3.
  • 4. I am not an identity expert
  • 5. Agenda Definitions The Problem Identity & Service Providers Office 365 Federation example OAuth
  • 7. Authentication Verifying Identity Authentication (AuthN) - Verifies who you are • Username/password • 2FA / strong authentication • Certificates Enterprise: Username / Password Consumer: Drivers license
  • 8. Authentication Verifying Identity Authentication (AuthN) - Verifies who you are • Username/password • 2FA / strong authentication • Certificates Enterprise: Username / Password Consumer: Drivers license Massively broken
  • 9. Authorization Possession is 9/10ths of ownership Authorization (AuthZ) - What you are able to do
  • 10. Authorization Start car, lock doors, deny trunk Valet key
  • 11. Definition of Terms SAML • Security Assertion Markup Language Oauth • Open standard for authorization Federation • You’ve authenticated to a different system than the one you’re tyring to access and your identity has been proven by a 3rd party and on that basis you’re being allowed to this system
  • 12. History SAML • 1.0 - 2002 • 1.1 - 2003 • 2.0 - 2005 (not backwards compatible with 1.x) OAuth • 1.0 - 2010 • 2.0 - 2012 (not backwards compatible with 1.0)
  • 13. The Problem Why does federation exist?
  • 14. Genesis u: bob p: password1 u: bob1 p: logmein u: bobby p: 123
  • 15. Along came Active Directory u: bobjones p: ComplexP1!
  • 16. And then came SaaS / Cloud apps
  • 17. Why not use Active Directory?
  • 18. Why not use Active Directory? Bad admin >>passwords.txt
  • 19. Why not use Active Directory? No Trust Bad admin >>passwords.txt
  • 20. IdP / SP Architecture SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust Claims LDAP Signed Active Directory
  • 21. Common IdP’s Ping Identity PingFederate CA SiteMinder Microsoft ADFS Shibboleth Okta
  • 22. Microsoft ADFS ADFS 1.0 - Part of Windows 2003 R2 ADFS 1.1 - Part of Windows 2008 and R2 (Installed as Role from Server Mgr) Used SAML 1.x so forget about these
  • 23. Microsoft ADFS ADFS 2.0 - Released after Windows 2008 R2 as a standalone download ADFS 2.1 - Part of Windows Server 2012 and installed as a Role ADFS 3.0 - Part of Windows Server 2012 R2 and installed as a Role Service ADFS 2.x rely on IIS ADFS 3.x is built on http.sys (IIS is not installed or needed)
  • 24. IdP / SP Architecture Trust / Configuration
  • 25. IdP / SP Architecture How is trust established? SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust LDAP Active Directory
  • 26. IDP Configuration: Metadata https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml
  • 27. IDP trusts Service Provider: Relying Party ID When a user requests claims from this Federation Service for the relying party, the relying party identifier will be used to identify the relying party for which the claims should be targeted Translate: Match incoming SP request to IdP Relying Party Trust configuration
  • 28. IDP trusts Service Provider: Signature SAML request from the Service Provider is signed Not always used
  • 29. Service Provider trusts IDP: Token-signing certificate
  • 30. IdP / SP Architecture Authentication
  • 31. IdP / SP Architecture Authentication (AuthN) SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust LDAP Active Directory
  • 32. ADFS Authentication ADFS Proxy ADFS Server Enterprise LDAP Active Directory ADFS Proxy - 2.x Web Application Proxy - 3.x
  • 33. ADFS Authentication Basic Authentication • Username & password sent in clear text over network • You should always use SSL/TLS Windows Integrated (IWA) • Kerberos, NTLMSSP • Can work silently / background
  • 34. ADFS Authentication Forms • Webpage • 2FA • Works with virtually any device X509 / Client Certificates
  • 35. ADFS Authentication Matrix ADFS 2.x ADFS 2.x Proxy ADFS 3.x Web Application Proxy Basic Auth Windows Integrated Forms X509 / Client Cert
  • 37. IdP / SP Architecture Claims
  • 38. IdP / SP Architecture Claims SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust Claims LDAP Signed Active Directory
  • 39. Claims SAML assertions contain claims Attribute claims contain information about the user (email address) Transformations can convert / modify data before creating the claim
  • 40. Example SAML Token With a lot trimmed out <samlp:Response ID="_97c40e4a-d04e-409d-8ecc-1a2728f87873" Version="2.0" IssueInstant="2013-01-21T17:50:41.470Z" Destination="https://onprem.sharefile.com/saml/acs" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_ef94eec3026e4b49b86d6d162a3def59" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.sharefiletest.com/adfs/services/trust</Issuer><samlp:Status><samlp:Status Code Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="_f1ad9c25-5632-414e-9b9c-e80d08c1f3ca" IssueInstant="2013-01-21T17:50:41.470Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>http://adfs.sharefiletest.com/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc- c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ds:Reference URI="#_f1ad9c25-5632-414e- 9b9c-e80d08c1f3ca"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><ds:DigestValue>KXdq8sGKJoFSBSB9YkF9LN7/8Ik=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>aUaw…dzA==</ds:Sig natureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC…KOw==</ds:X509Certificate></ds:X509Data></KeyInfo> </ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format: emailAddress">dan.brinkmann@citrix.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_ef94eec3026e4b49b86d6d162a3def59" NotOnOrAfter="2013-01-21T17:55:41.470Z" Recipient="https://onprem.sharefile.com/saml/acs" /></SubjectConfirmation></Subject><Conditions NotBefore="2013-01-21T17:50:41.467Z" NotOnOrAfter="2013-01- 21T18:50:41.467Z"><AudienceRestriction><Audience>http://onprem.sharefile.com/saml/info</Audience></AudienceRestriction></Conditions ><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"><AttributeValue>juliano.maldaner@citrix.com</AttributeValue></Attr ibute></AttributeStatement><AuthnStatement AuthnInstant="2013-01-21T17:50:41.429Z" SessionIndex="_f1ad9c25-5632-414e-9b9c-e80d08c1f3ca">< AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></Auth nStatement></Assertion></samlp:Response>
  • 41. SAML Assertion <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format: emailAddress”>dan.brinkmann@citrix.com</NameID>... Attribute Store (Active Directory) Rule Transform Claims
  • 42. Create a Claim Rule Claims
  • 43. IdP / SP Architecture What does a SP do with the claim? Verify trust information (cert) Match claim against an user object in its database/directory This database usually needs to be pre-populated although it is possible to use the assertion / claims to do this SaaS Solution Service Provider (SP) Claims Signed
  • 44. IdP / SP Architecture Claims SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust Claims LDAP Signed Active Directory Populate with accounts
  • 45. IDP / SP Sign-on Flow
  • 46. IdP / SP Architecture SaaS Solution Enterprise Service Provider (SP) Identity Provider (IDP) Trust Claims LDAP Signed Active Directory
  • 47. SAML: IDP-Initiated Sign-On Identity Provider (IDP) Service Provider (SP) Go to SaaS-App.com 302 + Claims https://account.Saas-App.com/saml/acs + Claims
  • 48. SAML: SP-Initiated Sign-On (Passive) Identity Provider (IDP) Service Provider (SP) https://account.SaaS-App.com/saml/login 302 + Request ../adfs/ls + Request 401(Auth Challenge) ../adfs/ls + R e q u e s t + 302 + Claims https://account.SaaS-App.com/saml/acs + Claims
  • 49. Troubleshooting IdP / SP federation issues
  • 50. Common IdP Issues 1. Attribute claim doesn’t match up 2. Certificate is incorrect 3. IdP time is out of whack (5 minute tolerance)
  • 51. How to debug SAML Fiddler Google Chrome Developer Tools Internet Explorer Developer Tools Firefox Firebug SAML debugger https://fed-lab.org
  • 52.
  • 54. SAML Token <saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims"> <saml:AttributeValue>?????</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Federation/2008/05” >
  • 55. Service Provider trusts IDP: Token-signing certificate
  • 57. How to handle IDP Errors:
  • 58. Further information on IDP logs… Bad Signature Bad Identifier
  • 59. Authentication Issues One common issue using Integrated (prompt comes up but auth always fails)
  • 61. Office 365 & Azure Active Directory Services Identity Provider (IDP) Service Provider (SP) Azure Active Directory Local Active Directory Claims
  • 62. Office 365 & Azure Active Directory Services Identity Provider (IDP) Service Provider (SP) Azure Active Directory Local Active Directory
  • 63. Office 365 & Azure Active Directory Services Identity Provider (IDP) Service Provider (SP) Azure Active Directory Local Active Directory
  • 64. DirSync DirSync populates Azure Active Directory with user accounts and groups from a local Active Directory http://blogs.office.com/2014/04/15/synchronizing-your-directory-with-office-365-is-easy/
  • 66. Office 365 & Azure Active Directory Services Identity Provider (IDP) Service Provider (SP) Azure Active Directory Local Active Directory
  • 67. Enabling Federation Install Azure Active Directory Powershell module Run Powershell commands • $cred=Get-Credential • Connect-MsolService –Credential $cred • Convert-MsolDomainToFederated –DomainName <domain>
  • 68. Office 365 Federated Login login.microsoftonline.com
  • 69. Office 365 Federated Login danbrinkmann.com is a Federated
  • 70. Office 365 Federated Login After typing the username it automatically redirect to my IdP
  • 71. Office 365 Federated Login Login to ADFS 3.0 (Windows 2012 R2) ADFS server then redirects to: https://login.microsoftonline.com/login.srf
  • 72. Office 365 Federated Login <saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims"> <saml:AttributeValue>dbrinkmann@danbrinkmann.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Federation/2008/05” >
  • 73. Office 365 Federated Login Authorization succeeds, account is matched to O365 mail account
  • 74. Problem Solved? How many times would you want to do this on a mobile device? SAML / WS-Federation is a heavy process 2-factor authentication is a common enterprise IdP implementation Cumbersome to end users
  • 75. Problem Solved? How can we streamline AuthN? Cache password on mobile device • What about 2FA? • Apps get complete access to a users account • Users can’t revoke access to an app / device except by changing their password • Compromised apps expose the user’s password • Remember WebDav?
  • 76. Enter OAuth AuthZ Authorization (AuthZ) without passwords Tokens can be revoked Tokens can be scoped Tokens can be time-limited Lightweight
  • 77. Example OAuth Token {"expires_in”:28800,"token_type":"bearer","apicp":"sharefile.com", "access_files_folders":true,"change_my_settings":true,"admin_users” :true,"expires_at_unix":"1,405,816,443.33826","refresh_token":"m5r U7aWB….","subdomain":"danbrinkmann","modify_files_folders":true, "web_app_login":true,"admin_accounts":true,"appcp":"sharefile.com", "access_token":"m5rU7aWB….."}
  • 78. OAuth vs SAML Token And I even trimmed out the signing certificate of the SAML Token {"expires_in”28800,"token_type":"beare r","apicp":"sharefile.com”,"access_fil es_folders":true,"change_my_settings": true,"admin_users”:true,"expires_at_un ix":"1,405,816,443.33826","refresh_tok en":"m5rU7aWB….","subdomain":"danbrink mann","modify_files_folders":true,"web _app_login":true,"admin_accounts":true ,"appcp":"sharefile.com”,"access_token ":"m5rU7aWB….."} <samlp:Response ID="_97c40e4a-d04e-409d-8ecc-1a2728f87873" Version="2.0" IssueInstant="2013- 01-21T17:50:41.470Z" Destination="https://onprem.sharefile.com/saml/acs" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_ef94eec3026e4b49b86d6d162a3def59" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.sharefiletest.com/adfs/services/trus t</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="_f1ad9c25-5632-414e-9b9c-e80d08c1f3ca" IssueInstant="2013-01- 21T17:50:41.470Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>http://adfs.sharefiletest.com/adfs/servi ces/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ds:Reference URI="#_f1ad9c25-5632- 414e-9b9c-e80d08c1f3ca"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><ds:DigestValue>KXdq8sGKJoFSBSB9YkF9LN7/8Ik=</ds:DigestValue></ds:Reference></ds:SignedInfo> <ds:SignatureValue>aUaw…dzA==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC…KOw==</ds:X50 9Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format: emailAddress">juliano.maldaner@citrix.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_ef94eec3026e4b49b86d6d162a3def59" NotOnOrAfter="2013-01-21T17:55:41.470Z" Recipient="https://onprem.sharefile.com/saml/acs" /></SubjectConfirmation></Subject><Conditions NotBefore="2013-01-21T17:50:41.467Z" NotOnOrAfter="2013-01- 21T18:50:41.467Z"><AudienceRestriction><Audience>http://onprem.sharefile.com/saml/info</Audien ce></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"><AttributeValue>juliano.malda ner@citrix.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2013-01-21T17:50:41.429Z" SessionIndex="_f1ad9c25-5632-414e-9b9c-e80d08c1f3ca">< AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</Authn ContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
  • 79. OAuth in Consumer Lives Creating a separate username / password not required
  • 80. OAuth in Consumer Lives Scoped Access
  • 81. OAuth in Consumer Lives The irony of this slide
  • 82. How OAuth is used in Enterprise Apps Instead of AuthN each time use AuthZ Protect mobile application using PIN / Passcode
  • 83. Mobile App Solution Authenticate via IdP (FTU) Exchange SAML Token for OAuth Token Use OAuth Access Token to access the application
  • 84. Mobile App Solution If the Access Token fails get a new one using the Refresh Token If the Refresh Token fails then prompt user to re-authenticate Re-authenticate via IdP
  • 85. Summary Federation necessary for next-generation & mobile applications Authentication (AuthN) Authorization (AuthZ) SAML OAuth

Editor's Notes

  1. <saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims"><saml:AttributeValue>dbrinkmann@danbrinkmann.com</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Federation/2008/05">
  2. with refresh token send API request with access token If access token is invalid, try to update it using refresh token if refresh request passes, update the access token and re-send the initial API request If refresh request fails, ask user to re-authenticate