Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
エンタープライズの視点から
FIDOとFederationのビジネスを考える
NOV & Kura
Nov Matake
• Security Engineer, GREE
• Evangelist, OIDF-J
• Interested in
• Digital Identity
• Security
• Privacy
主要 Federation 関連企業の
FIDO 対応状況
http://googleappsupdates.blogspot.jp/2015/06/a-special-offer-and-new-controls-for.html
https://twitter.com/FIDOAlliance/status/642015268059918336
https://blogs.windows.com/business/2015/02/13/microsoft-announces-fido-support-coming-to-windows-10/
https://technet.microsoft.com/en-us/library/mt126165.aspx
https://www.pingidentity.com/en/blog/2014/12/10/fido_is_not_the_end_of_passwords_and_thats_ok.html
• 主要各社は FIDO Alliance 加盟済
• U2F 導入済の Google Apps
• U2F 導入表明した Okta
• Windows Hello + Microsoft Passport を UAF 2.0

にしようとして...
主要 Device / User Agent の
FIDO 対応状況
http://www.windowscentral.com/video-windows-hello-realsense-camera
http://pctechmag.com/2014/10/you-can-log-into-gmail-with-a-usb-key-starting-today/
http://www.androidcentral.com/how-link-your-fingerprint-paypal-samsung-galaxy-s5
対応デバイスシェアはまだ低いが
主要 OS / UA でのサポートは開始
「FIDO の利用が必須」は非現実的
「FIDO Certified なら認証が楽」は可能
FIDOとFederation
…併用?
…競合?
https://www.pingidentity.com/en/blog/2014/12/10/fido_is_not_the_end_of_passwords_and_thats_ok.html
– Paul Madsen, Ping Identity
“FIDO is an 'authentication' standard, not an
'identity' standard - if the web site needs mor...
– Paul Madsen, Ping Identity
“FIDO は 'authentication' のスタンダード。
'identity' のスタンダードではない。
属性情報を提供するのは FIDO ではなく
OpenID Connec...
正社員以外アクセス不可
By Jenkins Project
https://fidoalliance.org/specifications/overview/
コンテキストに応じて
最適な認証強度・UX を選択
FIDOによって標準化
Federation シナリオのどこで FIDO を活用し
強度な認証 & 使いやすい UX を実現する?
Kura
• Engineer, Yahoo! JAPAN
• Evangelist, OIDF-J
• Interested in
• Identity Federation
• OpenID Connect
• JOSE WG
• IoT
Federationにおける
FIDOの担当領域
FIDOの担う領域
Provisioning
FIDOの担う領域
Provisioning
Authentication
FIDOの担う領域
Federation
Provisioning
Authentication
FIDOの担う領域
Single Sign-On
Federation
Provisioning
Authentication
FIDOの担う領域
Attributes
Single Sign-On
Federation
Provisioning
Authentication
FIDOの担う領域
Attributes
Single Sign-On
Federation
Provisioning
SCIM
Authentication
FIDOの担う領域
Attributes
Single Sign-On
Federation
Provisioning
OpenID Connect
SAML
SCIM
Authentication
Attributes
Single Sign-On
Federation
Authentication
Provisioning
OpenID Connect
SAML
SCIM
FIDO
FIDOの担う領域
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
Authentication Request (Redirect)
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Tok...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...


FIDOを適応した
OpenID Connectの認証フロー
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRPEnd-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Refresh ...
IdPRP(App)End-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Ref...
IdPRP(App)End-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Ref...
ID管理サービス独自で
FIDOを利用するケース
管理者がFIDOを要求
FIDOが普及するとAzureADやADFSなどのID管理
サービスでも利用できるようになるかも
多要素認証の設定と同じようにIT Adminがユーザー
に対してFIDO Certifiedなデバイスによる認証を要
求でき...
メインの認証、多要素認証に
FIDO Certifiedなデバイスによる
認証を要求できるようになるかも
FIDO Certifiedな登録済みの鍵(デバイス)による
認証を要求できるようになるかも
OpenID Connectの
amr/amr_valuesについて
amr:Authentication Methods References
OpenID Connectで返却されるID TokenのClaim
認証で用いられた認証手段を表す識別子
例えば、パスワードやワンタイムパスワードなど
メモ
ID T...
amr value
eye 網膜認証
fpt 指紋認証
kba ナレッジベース認証
mca マルチチャンネル認証
mfa 多要素認証
otp ワンタイムパスワード
pop Proot-of-possession
pwd パスワード
risk リ...
amr_values:

Authentication Methods References values
OpenID Connectの認証リクエスト時に要求したい
認証手段を指定
amr_valuesとは
https://tools.iet...
ID管理サービスから
認証手段を取得できるケース
∼amr対応∼
IdPRP(App)End-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Ref...
IdPRP(App)End-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Ref...
ID Token Payload
{
"iss": "https://server.example.com",
"sub": "24400320",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"...
ID Token Payload
{
"iss": "https://server.example.com",
"sub": "24400320",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"...
ID Token Payload
{
"iss": "https://server.example.com",
"sub": "24400320",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"...
ID管理サービスから
認証手段をリクエストできるケース
∼amr_values&amr対応∼
IdPRP(App)End-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Ref...
IdPRP(App)End-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Ref...
IdPRP(App)End-User
UserInfo
Endpoint
Authorization Code (Redirect)
Login (Authentication)
Token Request
Access Token / Ref...
Authentication Request
HTTP/1.1 302 Found
Location: https://server.example.com/authorize?
response_type=code
&scope=openid...
Authentication Request
HTTP/1.1 302 Found
Location: https://server.example.com/authorize?
response_type=code
&scope=openid...
Authentication Request
HTTP/1.1 302 Found
Location: https://server.example.com/authorize?
response_type=code
&scope=openid...
amr/amr_valuesのメリット
RPがユーザーのアクションに応じて認証手段を

かえ、認証強度によって権限をかえることができる
例えば、一般ユーザーで情報の参照はパスワードを
要求。管理者で情報の更新をする場合にはパスワー
ド+指紋認証...
まとめ
IDaaSとデバイスのFIDOの対応状況は進んでいる
FIDOとFederationを併用するとよいことがある
認証手段がとれるとサービスのだしわけができ、
amrがあるとさらに高度なことができる
エンタープライズの視点からFIDOとFederationのビジネスを考える
エンタープライズの視点からFIDOとFederationのビジネスを考える
エンタープライズの視点からFIDOとFederationのビジネスを考える
エンタープライズの視点からFIDOとFederationのビジネスを考える
Upcoming SlideShare
Loading in …5
×

エンタープライズの視点からFIDOとFederationのビジネスを考える

3,235 views

Published on

タイトル:
『エンタープライズの視点からFIDOとFederationのビジネスを考える』

概要:
デバイスの多様性が広がりつつ、ID連携の重要性も高まる IoT時代において、新たな認証方式として登場したFIDOが今後のエンタープライズにどのように関わっていくのか、FIDOと Federationの関係、ビジネスとの関連について考えてみます。

ID & IT Management Conference 2015 Sep. 18, 2015
URL:http://nosurrender.jp/idit2015/program.html#TE09

Published in: Internet
  • (Unlimited)....ACCESS WEBSITE Over for All Ebooks ................ accessibility Books Library allowing access to top content, including thousands of title from favorite author, plus the ability to read or download a huge selection of books for your pc or smartphone within minutes ......................................................................................................................... DOWNLOAD FULL PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m6jJ5M }
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • ..............ACCESS that WEBSITE Over for All Ebooks ................ ......................................................................................................................... DOWNLOAD FULL PDF EBOOK here { https://urlzs.com/UABbn } ......................................................................................................................... Download Full EPUB Ebook here { https://urlzs.com/UABbn } .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THAT BOOKS/FILE INTO AVAILABLE FORMAT - (Unlimited) ......................................................................................................................... ......................................................................................................................... Download FULL PDF EBOOK here { http://bit.ly/2m77EgH } ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... accessibility Books Library allowing access to top content, including thousands of title from favorite author, plus the ability to read or download a huge selection of books for your pc or smartphone within minutes Christian, Classics, Comics, Contemporary, Cookbooks, Art, Biography, Business, Chick Lit, Children's, Manga, Memoir, Music, Science, Science Fiction, Self Help, History, Horror, Humor And Comedy, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (Unlimited) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... Download Full EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ACCESS WEBSITE for All Ebooks ......................................................................................................................... Download Full PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... Download EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... Download doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (Unlimited) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... Download Full EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ACCESS WEBSITE for All Ebooks ......................................................................................................................... Download Full PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... Download EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... Download doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

エンタープライズの視点からFIDOとFederationのビジネスを考える

  1. 1. エンタープライズの視点から FIDOとFederationのビジネスを考える NOV & Kura
  2. 2. Nov Matake • Security Engineer, GREE • Evangelist, OIDF-J • Interested in • Digital Identity • Security • Privacy
  3. 3. 主要 Federation 関連企業の FIDO 対応状況
  4. 4. http://googleappsupdates.blogspot.jp/2015/06/a-special-offer-and-new-controls-for.html
  5. 5. https://twitter.com/FIDOAlliance/status/642015268059918336
  6. 6. https://blogs.windows.com/business/2015/02/13/microsoft-announces-fido-support-coming-to-windows-10/
  7. 7. https://technet.microsoft.com/en-us/library/mt126165.aspx
  8. 8. https://www.pingidentity.com/en/blog/2014/12/10/fido_is_not_the_end_of_passwords_and_thats_ok.html
  9. 9. • 主要各社は FIDO Alliance 加盟済 • U2F 導入済の Google Apps • U2F 導入表明した Okta • Windows Hello + Microsoft Passport を UAF 2.0
 にしようとしている Microsoft • Ping Identity は?
  10. 10. 主要 Device / User Agent の FIDO 対応状況
  11. 11. http://www.windowscentral.com/video-windows-hello-realsense-camera
  12. 12. http://pctechmag.com/2014/10/you-can-log-into-gmail-with-a-usb-key-starting-today/
  13. 13. http://www.androidcentral.com/how-link-your-fingerprint-paypal-samsung-galaxy-s5
  14. 14. 対応デバイスシェアはまだ低いが 主要 OS / UA でのサポートは開始 「FIDO の利用が必須」は非現実的 「FIDO Certified なら認証が楽」は可能
  15. 15. FIDOとFederation …併用? …競合?
  16. 16. https://www.pingidentity.com/en/blog/2014/12/10/fido_is_not_the_end_of_passwords_and_thats_ok.html
  17. 17. – Paul Madsen, Ping Identity “FIDO is an 'authentication' standard, not an 'identity' standard - if the web site needs more attributes for personalization & authorization, then FIDO can't provide them (but OpenID Connect etc. can).” https://www.pingidentity.com/en/blog/2014/12/10/fido_is_not_the_end_of_passwords_and_thats_ok.html
  18. 18. – Paul Madsen, Ping Identity “FIDO は 'authentication' のスタンダード。 'identity' のスタンダードではない。 属性情報を提供するのは FIDO ではなく OpenID Connect である。” https://www.pingidentity.com/en/blog/2014/12/10/fido_is_not_the_end_of_passwords_and_thats_ok.html
  19. 19. 正社員以外アクセス不可 By Jenkins Project
  20. 20. https://fidoalliance.org/specifications/overview/
  21. 21. コンテキストに応じて 最適な認証強度・UX を選択 FIDOによって標準化
  22. 22. Federation シナリオのどこで FIDO を活用し 強度な認証 & 使いやすい UX を実現する?
  23. 23. Kura • Engineer, Yahoo! JAPAN • Evangelist, OIDF-J • Interested in • Identity Federation • OpenID Connect • JOSE WG • IoT
  24. 24. Federationにおける FIDOの担当領域
  25. 25. FIDOの担う領域 Provisioning
  26. 26. FIDOの担う領域 Provisioning Authentication
  27. 27. FIDOの担う領域 Federation Provisioning Authentication
  28. 28. FIDOの担う領域 Single Sign-On Federation Provisioning Authentication
  29. 29. FIDOの担う領域 Attributes Single Sign-On Federation Provisioning Authentication
  30. 30. FIDOの担う領域 Attributes Single Sign-On Federation Provisioning SCIM Authentication
  31. 31. FIDOの担う領域 Attributes Single Sign-On Federation Provisioning OpenID Connect SAML SCIM Authentication
  32. 32. Attributes Single Sign-On Federation Authentication Provisioning OpenID Connect SAML SCIM FIDO FIDOの担う領域
  33. 33. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect Authentication Request (Redirect)
  34. 34. IdPRPEnd-User Authentication Request (Redirect) UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect OpenID Connectにおいて 認証フローは仕様の対象外
  35. 35. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect)
  36. 36. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDOの担う領域 指紋、声紋、PINなどによる 認証処理が行われる FIDO Authentication Request (Redirect)
  37. 37. 
 FIDOを適応した OpenID Connectの認証フロー
  38. 38. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect Authentication Request (Redirect)
  39. 39. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect)
  40. 40. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent End
 User FIDO
 Client Authenticator
  41. 41. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent End
 User FIDO
 Client Authenticator ブラウザーのUserAgent FIDOへリクエストする窓口
  42. 42. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent End
 User FIDO
 Client Authenticator 認証リクエストを受け付け レスポンスを返却するクライアント
  43. 43. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent End
 User FIDO
 Client Authenticator 指紋、声紋などの 認証デバイス
  44. 44. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent End
 User FIDO
 Client Authenticator FIDOの担う領域
  45. 45. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent End
 User FIDO
 Client Authenticator
  46. 46. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent Auth Request End
 User FIDO
 Client Authenticator
  47. 47. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent Auth Request End
 User FIDO
 Client Authenticator 「IdP」が認証リクエストを行う
  48. 48. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent Auth Request End
 User FIDO
 Client Authenticator
  49. 49. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent Auth Request End
 User FIDO
 Client Auth Request Authenticator
  50. 50. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent Auth Request End
 User FIDO
 Client Auth Request Authenticator Auth Request
  51. 51. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent Auth Request End
 User FIDO
 Client Auth Request Authenticator Auth Request FIDO ClientがIdPの要求するポリシーに 合わせて適切なAuthenticatorを選択
  52. 52. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent Auth Request End
 User FIDO
 Client Auth Request Authenticator Auth Request
  53. 53. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent Auth Request End
 User FIDO
 Client Auth Request Authenticator Auth Request User Verification
  54. 54. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent Auth Request End
 User FIDO
 Client Auth Request Authenticator Verify User Auth Request User Verification
  55. 55. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent Auth Request End
 User FIDO
 Client Auth Request Authenticator Verify User Auth Request User Verification 指紋や声紋などの FIDO Certifiedなデバイスで認証
  56. 56. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent Auth Request End
 User FIDO
 Client Auth Request Authenticator Verify User Auth Request User Verification
  57. 57. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent Auth Request End
 User FIDO
 Client Auth Request Authenticator Verify User Auth Request User Verification SignData
  58. 58. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent Auth Request End
 User FIDO
 Client Auth Request Authenticator Verify User Auth Request User Verification SignData シグネチャ付きの 認証結果を生成
  59. 59. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent Auth Request End
 User FIDO
 Client Auth Request Authenticator Verify User Auth Request User Verification SignData
  60. 60. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent Auth Request End
 User FIDO
 Client SignData Auth Request Authenticator Verify User Auth Request User Verification SignData
  61. 61. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent Auth Request Auth Response
 (SignData) End
 User FIDO
 Client SignData Auth Request Authenticator Verify User Auth Request User Verification SignData
  62. 62. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent Auth Request Auth Response
 (SignData) End
 User FIDO
 Client SignData Auth Request Authenticator Verify User Auth Request User Verification SignData シグネチャ・認証結果を検証
  63. 63. IdPRPEnd-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect FIDO Authentication Request (Redirect) IdP FIDO Authentication Operation User
 Agent Auth Request Auth Response
 (SignData) End
 User FIDO
 Client SignData Auth Request Authenticator Verify User Auth Request User Verification SignData FIDOとIdPの間で全て処理されるため RPは認証を意識する必要がない
  64. 64. IdPRP(App)End-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect Authentication Request (Redirect) FIDO
  65. 65. IdPRP(App)End-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect Authentication Request (Redirect) FIDO FIDOによってOpenID Connectの
 認証処理を補完することが可能
  66. 66. ID管理サービス独自で FIDOを利用するケース
  67. 67. 管理者がFIDOを要求 FIDOが普及するとAzureADやADFSなどのID管理 サービスでも利用できるようになるかも 多要素認証の設定と同じようにIT Adminがユーザー に対してFIDO Certifiedなデバイスによる認証を要 求できるようになるかも
  68. 68. メインの認証、多要素認証に FIDO Certifiedなデバイスによる 認証を要求できるようになるかも
  69. 69. FIDO Certifiedな登録済みの鍵(デバイス)による 認証を要求できるようになるかも
  70. 70. OpenID Connectの amr/amr_valuesについて
  71. 71. amr:Authentication Methods References OpenID Connectで返却されるID TokenのClaim 認証で用いられた認証手段を表す識別子 例えば、パスワードやワンタイムパスワードなど メモ ID Token:End-Userの認証についてのClaimを含むセキュリティトークン Claim:ある対象についての属性情報 amrとは
  72. 72. amr value eye 網膜認証 fpt 指紋認証 kba ナレッジベース認証 mca マルチチャンネル認証 mfa 多要素認証 otp ワンタイムパスワード pop Proot-of-possession pwd パスワード risk リスクベース認証 sms SMS認証 tel 通話認証 user 対面確認 vbm ボイス認証 wia 統合Windowns認証
  73. 73. amr_values:
 Authentication Methods References values OpenID Connectの認証リクエスト時に要求したい 認証手段を指定 amr_valuesとは https://tools.ietf.org/html/draft-jones-oauth-amr-values-01
  74. 74. ID管理サービスから 認証手段を取得できるケース ∼amr対応∼
  75. 75. IdPRP(App)End-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect Authentication Request (Redirect) FIDO
  76. 76. IdPRP(App)End-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect Authentication Request (Redirect) ID Tokenにamrの値が セットされ認証手段を判定できる
  77. 77. ID Token Payload { "iss": "https://server.example.com", "sub": "24400320", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "auth_time": 1311280969, "amr": [“pwd”] }
  78. 78. ID Token Payload { "iss": "https://server.example.com", "sub": "24400320", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "auth_time": 1311280969, "amr": [“pwd”] } パスワードで認証すると「pwd」が返却される ここが…
  79. 79. ID Token Payload { "iss": "https://server.example.com", "sub": "24400320", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "auth_time": 1311280969, "amr": [“fido”] } 「fido」になる!! ...かも(draftで未定義)
  80. 80. ID管理サービスから 認証手段をリクエストできるケース ∼amr_values&amr対応∼
  81. 81. IdPRP(App)End-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect Authentication Request (Redirect) FIDO
  82. 82. IdPRP(App)End-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect Authentication Request (Redirect) 認証リクエスト時に amr_valuesで認証手段を指定できる
  83. 83. IdPRP(App)End-User UserInfo Endpoint Authorization Code (Redirect) Login (Authentication) Token Request Access Token / Refresh Token / ID Token Resource Access Resource Start OpenID Connect Authentication Request (Redirect) ID Tokenにamrの値が セットされ認証手段を判定できる
  84. 84. Authentication Request HTTP/1.1 302 Found Location: https://server.example.com/authorize? response_type=code &scope=openid%20profile%20email &client_id=s6BhdRkqt3 &amr_values=otp &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
  85. 85. Authentication Request HTTP/1.1 302 Found Location: https://server.example.com/authorize? response_type=code &scope=openid%20profile%20email &client_id=s6BhdRkqt3 &amr_values=otp &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb 「otp」でワンタイムパスワードによる認証を要求 ここに…
  86. 86. Authentication Request HTTP/1.1 302 Found Location: https://server.example.com/authorize? response_type=code &scope=openid%20profile%20email &client_id=s6BhdRkqt3 &amr_values=fido &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb 「fido」を指定してFIDO Certifiedな デバイスによる認証を要求できるようになる!! …かも(draftで未定義)
  87. 87. amr/amr_valuesのメリット RPがユーザーのアクションに応じて認証手段を
 かえ、認証強度によって権限をかえることができる 例えば、一般ユーザーで情報の参照はパスワードを 要求。管理者で情報の更新をする場合にはパスワー ド+指紋認証を要求。
  88. 88. まとめ IDaaSとデバイスのFIDOの対応状況は進んでいる FIDOとFederationを併用するとよいことがある 認証手段がとれるとサービスのだしわけができ、 amrがあるとさらに高度なことができる

×