A recipe for standards-based Cloud IdM


Published on

I already regret the analogy

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Fly in the ointment is XACML
  • Acknowledge that there is a SAML/XACML profile – but nobody uses it. What of composing XACML with OAuth – both nominally focussed on authz. What about carrying XACML in JWT etc etc
  • A recipe for standards-based Cloud IdM

    1. 1. A recipe for standards-based Cloud IdMPaul Madsen@paulmadsen
    2. 2. 2
    3. 3. 3
    4. 4. 4
    5. 5. 5
    6. 6. Ingredients SAML OAuth SCIM JWT6
    7. 7. Ingredients• Small number of ingredients can be composed to create useful & tasty dishes• SCIM, SAML, OAuth, and JWT provide a standards based framework for cloud identity recipes
    8. 8. (Gross) Oversimplications• SAML – SSO for enterprise & cloud web apps• OAuth – authn & authz for RESTful APIs• SCIM – RESTful (and viable!) user provisioning• JWT – JSON-based SAML assertions
    9. 9. SAMLSCIM OAuth JWT
    10. 10. SAMLSCIM OAuth JWT
    11. 11. SCIM & SAML• SCIM API messages to provision accounts for subsequent SAML SSO• SAML binding for SCIM • Carry SCIM instance as attributes in SAML SSO message • Alternaitve to a distinct CRUD operation using the SCIM RESTful protocol • Enables JIT provisioning
    12. 12. SCIM & SAML<saml:AttributeStatementxmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:scim="http://placeholder.scim.org/2011/schema/extension"><saml:AttributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname- format:unspecified" Name="SCIM.userName"><saml:AttributeValuexmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">bjensen@example.com</saml:AttributeValue></saml:Attribute><saml:AttributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname- format:unspecified" Name="SCIM.name.formatted"><saml:AttributeValuexmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">Ms. Babs J Jensen III</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>
    13. 13. Challenges• Non-trivial to map SCIM attribute schema into SAMLs attribute model• SCIM schema allows for • Complex structures • Multi-valued attributes• Which is why Ive been negligent in the work
    14. 14. SAMLSCIM OAuth JWT
    15. 15. SCIM & OAuth1. Use SCIM to provision account for subsequent OAuth-based mobile access to SaaS APIs1. Use OAuth to secure SCIM API calls
    16. 16. SCIM & OAuthPOST /User HTTP/1.1Host: example.comAccept: application/xml OAuth access token issuedAuthorization: Bearer h480djs93hd8 by the SaaS to the enterprise to use on subsequent SCIM<?xml version="1.0" encoding="UTF-8"?> calls<scim:User xmlns:scim="urn:scim:schemas:core:1.0"><userName>bjensen@example.com</userName> Note difference from<externalId>701984</externalId> archetypical OAuth<emails> delegated authz use case<email><value>bjensen@example.com</value><primary>true</primary><type>work</type></email></emails></scim:User>
    17. 17. SAMLSCIM OAuth JWT
    18. 18. SAML & OAuthSAML Hybrid – carry OAuth token OAuth in SAML SSO messages Assertion profile - useOAuth SAML assertions within SAML OAuth flow. Trade assertion for tokenSAML OAuth Sequencing – use SAML SSO in order to authenticate user to AS
    19. 19. OAuth SAMLOAuth
    20. 20. Demo20 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
    21. 21. Demo21 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
    22. 22. Demo22 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
    23. 23. Demo23 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
    24. 24. SAMLSCIM OAuth JWT
    25. 25. 25
    26. 26. SAML & JWT & OAuthSAML JWT Profiles assertion profile For specific assertion formatsAssertion profile How to use assertions for client authentication and as a grant typeOAuth Core protocol
    27. 27. SAML & JWT & OAuth• Use SAML assertion or JWT forOAuth client authentication and/or OAuth grant typePOST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedgrant_type=authorization_code& code=i1WsRn1uB1& client_id=s6BhdRkqt3&client_assertion_type=urn%3Aoasis%3Anames%sAtc%3ASAML%3A2.0%3Aassertion& client_assertion=PHNhbWxwOl…...ZT Client authenticating to AS token endpoint using assertion rather than secret
    28. 28. SAML OpenIDSCIM OAuth Connect JWT
    29. 29. OpenID Connect == JWT & OAuth & identity•OAuth is a general mechanism to authorize APIaccess, OpenID Connect profiles the generic forpurposes of sharing profile information & enablinga SSO protocol•Uses the authz code & implicit grant types – thepieces of OAuth optimized for user-consentscenarios•Leverages the authorization & token endpoints &adds identity-based params to core OAuthmessages
    30. 30. OpenID Connect• OpenID Provider – Adds to OAuth 2.0 Authorization Service • Issues id_token in addition to access_token – Codifies a standardized Resource Services • UserInfo Endpoint• Relying Party – OAuth client to the endpoints exposed by the OpenID Provider • Implicit Grant or Authorization Code Flows
    31. 31. Ignoring the distinction as to whether the tokens actually flow front-channel, or instead User Agent back-channel after a front- channel step 1) GET A TOKEN AS Client RS 2) USE A TOKEN Base OAuth
    32. 32. Ignoring the distinction as to whether the tokens actually flow front-channel, or instead User Agent back-channel after a front- channel step 1) GET A TOKEN AS Client 2) READ A TOKEN RS 3) USE A TOKEN UserInfo OpenID Connect Base OAuth
    33. 33. SAMLSCIM UMA OAuth JWT
    34. 34. UMA == OAuth + centralized authz1. OAuth allows for pairwise app-to-app connections. UMA, in addition, defines a hub from which many pairwise sharing connections can be managed, controlled, and revoked.2. OAuth solves for person-to-self sharing. UMA, in addition, solves for secure person-to-person sharing and person-to-organization sharing.3. OAuth leaves unstated how its "authorization server" and "resource server" components interact. UMA fully defines a standard interface between its enhanced versions of these two components, the authorization manager and host. From UMA FAQ
    35. 35. SAMLSCIM XACML? OAuth JWT
    36. 36. XACML?
    37. 37. Speculative•XACML policy (a TBD JSON binding) inside a JWT??? •Extends simple scope model•Interplay between SCIM-provisioned attributes & SaaSXACML policies?•RESTful authz query for XACML? •PEP sends an access token to PDP (along with scopes) PDP resolves token as necessary, returns yes/no to PEP
    38. 38. AS Issuance PDP y/n Client PEP RS39
    39. 39. Questions