Nomura Research Institute
Cloud Identity Summit 2013
OpenID Connect:
How it solves your problems
July 10, 2013
Nat Sakimur...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
B2E Identity
B2C Identity
G2C Identity...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
"Why OpenID Connect is relevant
for us...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Not quite.
because I have very enterpr...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
OpenID Connect
was built with
Enterpri...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
What are the de facto federation
and a...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Identity
Federation
•SAML?
Account
Pro...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Identity
Federation
•Password
Sharing
...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Why did we fail?
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Too complex to understand.
cognitive...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
CSV is easy.
• Hey, you just
need Exce...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Lots of (hidden) problems…
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Anything that more than 3 people
know...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
#fail
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Let’s re-do.
This time, dead simple.
Y...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
OpenID Connect
& SCIM
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
SAML v.s. OpenID Connect
SAML Web SSO ...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
identity
set of attributes related to ...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
An example of simplistic enterprise “i...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Employee number: A12349898
Name: John ...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Real
Name
Professional
qualification
d...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
ABAC
Based on SP800-162 figure on page...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Real
Name
Professional
qualification
d...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Requirements
R1
• Access Control MUST ...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Real
Name
Professional
qualification
d...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Deployment Experiences
of OpenID Conne...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
What kind of deployment have we done?
...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Windows Domain Integration
AD
Connect
...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Easy to implement
• Building was easy;...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Turning Internet Dog to Pavlov’s Dog
3...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
But what about other protocols?
SMTP /...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
PAM Module for OpenID Connect
SMTP
IMA...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Make sure to follow verification rules...
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
36
Upcoming SlideShare
Loading in …5
×

OpenID Connect - how it solves enterprise problems

2,486 views

Published on

OpenID Connect is an identity layer on top of OAuth 2.0 Authorization Framework. This session gives an overview of the underlying concept and how it can help you solve your problems.

Published in: Technology, Health & Medicine

OpenID Connect - how it solves enterprise problems

  1. 1. Nomura Research Institute Cloud Identity Summit 2013 OpenID Connect: How it solves your problems July 10, 2013 Nat Sakimura Nomura Research Institute Chairman, The OpenID Foundation @_nat_en http://nat.sakimura.org/
  2. 2. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute B2E Identity B2C Identity G2C Identity (source of pictures)Microsoft Office Online G2E Identity
  3. 3. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute "Why OpenID Connect is relevant for us enterprise? It's a consumer technology, is it not?"
  4. 4. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Not quite. because I have very enterprizy background…
  5. 5. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute OpenID Connect was built with Enterprise use in mind (as well as consumer use); helps you build effective access governance over cloud services
  6. 6. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute What are the de facto federation and account provisioning protocols?
  7. 7. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Identity Federation •SAML? Account Provisioning •SPML?
  8. 8. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute
  9. 9. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Identity Federation •Password Sharing Account Provisioning •Custom CSV
  10. 10. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Why did we fail?
  11. 11. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Too complex to understand. cognitive difficulty -> Support difficulty Different products did not interoperate. A large Japanese manufacturer: ▪ > 3000 partners all around the world ▪ Many of them were working with multiple companies ▪ Tried to create a SAML federation but failed.
  12. 12. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute CSV is easy. • Hey, you just need Excel! And you can manually edit them! Password Sharing is easy. • Hey, it works on any application that supports password!
  13. 13. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Lots of (hidden) problems…
  14. 14. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Anything that more than 3 people knows is not a secret! Can easily get out of sync. Allowing manual edit is a risk. De-provisioning? Archiving? Are you getting audit trail of the access to those systems? etc…
  15. 15. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute #fail
  16. 16. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Let’s re-do. This time, dead simple. Yes, we are reinventing a wheel, but This time, it will be a little rounder.
  17. 17. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute OpenID Connect & SCIM
  18. 18. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute SAML v.s. OpenID Connect SAML Web SSO OpenID Connect XML JSON XML Dsig JSON Web Signature (JWS) XML Encryption JSON Web Encryption (JWE) SAML JSON Web Token SAML Assertion ID Token (OIDC) SOAP (mostly…) REST SAML Web SSO Profile Standard (=OAuth 2.0 binding) SPML SCIM
  19. 19. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute identity set of attributes related to an entity ISO/IEC 29115 | ITU-T X.1254 Note: distinguish identity and identifier carefully.
  20. 20. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute An example of simplistic enterprise “identity” Employee number: A12349898 Name: John Smith Position: General Manager Department: Finance Company: ABCD Holding Location: NYHQ Datetime: 29130809T12:34:11Z
  21. 21. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Employee number: A12349898 Name: John Smith Position: General Manager Department: Finance Company: ABCD Holding Location: NYHQ Datetime: 29130809T12:34:11Z logging User interface Access Contro info
  22. 22. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication Policy Enforcement Rules
  23. 23. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute ABAC Based on SP800-162 figure on page viii identity Resource Rules entity
  24. 24. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication PEP PDP PAP Boss Metadata Log Log
  25. 25. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Requirements R1 • Access Control MUST be done with the dynamic attributes R2 • Identity MUST be provided from the authoritative source R3 • Need to be able to provide flexible security. R4 • Need to be dead simple. R5 • Interoperability is the king. R6 • Limited connection (esp. mobile) ready. R7 • Unified technology for enterprise and consumer.
  26. 26. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication PEP PDP PAP Boss Metadata Log Log
  27. 27. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Deployment Experiences of OpenID Connect
  28. 28. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute What kind of deployment have we done? Windows Domain integration SMTP/IMAP/SSH & OpenID Connect A large provider integration Privacy Proxy
  29. 29. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Windows Domain Integration AD Connect Server Access Log Service Servic e Service Service Registration Discovery HR System
  30. 30. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Easy to implement • Building was easy; • Deployment was easy partly because you can “provision” the linked accounts; Nice user experience for enterprise users • No login dialogues; Leverage on Windows Logon; • No consent – as it is administered by the admin, and it is following privacy rules; • Help Avoid “Pavlov’s Dog Problem”
  31. 31. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Turning Internet Dog to Pavlov’s Dog 32 (Source) Based on IIW dog
  32. 32. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute But what about other protocols? SMTP / IMAP / SSH etc. Application Passwords …
  33. 33. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute PAM Module for OpenID Connect SMTP IMAP SSH PAM OIDC Plugin OpenID Connect Server Thunde rbrid Web Browse r Token Token as Password Token Introspection
  34. 34. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Make sure to follow verification rules • Some implementation were bitten by not following MUSTs. Never send an access token without accompanying ID Token to any other clients. • Otherwise, you will be subject to token swap attack. • http://www.thread-safe.com/2012/01/problem-with-oauth-for- authentication.html Care should be taken for “code” and “token” server- side verification • Maybe not so acute in most enterprise deployment, but in one of the consumer solution that we help run, it is doing 2000 tr/sec
  35. 35. © 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute 36

×