SlideShare a Scribd company logo

OpenID Connect - how it solves enterprise problems

ā€¢Download as PPTX, PDFā€¢
ā€¢
Nat Sakimura
Nat Sakimura

OpenID Connect is an identity layer on top of OAuth 2.0 Authorization Framework. This session gives an overview of the underlying concept and how it can help you solve your problems.

TechnologyHealth & Medicine
1 of 35
Nomura Research Institute Cloud Identity Summit 2013 OpenID Connect: How it solves your problems July 10, 2013 Nat Sakimura Nomura Research Institute Chairman, The OpenID Foundation @_nat_en http://nat.sakimura.org/
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute B2E Identity B2C Identity G2C Identity (source of pictures)Microsoft Office Online G2E Identity
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute "Why OpenID Connect is relevant for us enterprise? It's a consumer technology, is it not?"
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Not quite. because I have very enterprizy backgroundā€¦
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute OpenID Connect was built with Enterprise use in mind (as well as consumer use); helps you build effective access governance over cloud services
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute What are the de facto federation and account provisioning protocols?
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Identity Federation ā€¢SAML? Account Provisioning ā€¢SPML?
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Identity Federation ā€¢Password Sharing Account Provisioning ā€¢Custom CSV
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Why did we fail?
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute ļ®Too complex to understand. ļ¬cognitive difficulty -> Support difficulty ļ®Different products did not interoperate. ļ¬A large Japanese manufacturer: ā–Ŗ > 3000 partners all around the world ā–Ŗ Many of them were working with multiple companies ā–Ŗ Tried to create a SAML federation but failed.
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute CSV is easy. ā€¢ Hey, you just need Excel! And you can manually edit them! Password Sharing is easy. ā€¢ Hey, it works on any application that supports password!
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Lots of (hidden) problemsā€¦
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute ļ®Anything that more than 3 people knows is not a secret! ļ®Can easily get out of sync. ļ®Allowing manual edit is a risk. ļ®De-provisioning? Archiving? ļ®Are you getting audit trail of the access to those systems? etcā€¦
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute #fail
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Letā€™s re-do. This time, dead simple. Yes, we are reinventing a wheel, but This time, it will be a little rounder.
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute OpenID Connect & SCIM
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute SAML v.s. OpenID Connect SAML Web SSO OpenID Connect XML JSON XML Dsig JSON Web Signature (JWS) XML Encryption JSON Web Encryption (JWE) SAML JSON Web Token SAML Assertion ID Token (OIDC) SOAP (mostlyā€¦) REST SAML Web SSO Profile Standard (=OAuth 2.0 binding) SPML SCIM
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute identity set of attributes related to an entity ISO/IEC 29115 | ITU-T X.1254 Note: distinguish identity and identifier carefully.
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute An example of simplistic enterprise ā€œidentityā€ Employee number: A12349898 Name: John Smith Position: General Manager Department: Finance Company: ABCD Holding Location: NYHQ Datetime: 29130809T12:34:11Z
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Employee number: A12349898 Name: John Smith Position: General Manager Department: Finance Company: ABCD Holding Location: NYHQ Datetime: 29130809T12:34:11Z logging User interface Access Contro info
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication Policy Enforcement Rules
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute ABAC Based on SP800-162 figure on page viii identity Resource Rules entity
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication PEP PDP PAP Boss Metadata Log Log
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Requirements R1 ā€¢ Access Control MUST be done with the dynamic attributes R2 ā€¢ Identity MUST be provided from the authoritative source R3 ā€¢ Need to be able to provide flexible security. R4 ā€¢ Need to be dead simple. R5 ā€¢ Interoperability is the king. R6 ā€¢ Limited connection (esp. mobile) ready. R7 ā€¢ Unified technology for enterprise and consumer.
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication PEP PDP PAP Boss Metadata Log Log
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Deployment Experiences of OpenID Connect
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute What kind of deployment have we done? Windows Domain integration SMTP/IMAP/SSH & OpenID Connect A large provider integration Privacy Proxy
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Windows Domain Integration AD Connect Server Access Log Service Servic e Service Service Registration Discovery HR System
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Easy to implement ā€¢ Building was easy; ā€¢ Deployment was easy partly because you can ā€œprovisionā€ the linked accounts; Nice user experience for enterprise users ā€¢ No login dialogues; Leverage on Windows Logon; ā€¢ No consent ā€“ as it is administered by the admin, and it is following privacy rules; ā€¢ Help Avoid ā€œPavlovā€™s Dog Problemā€
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Turning Internet Dog to Pavlovā€™s Dog 32 (Source) Based on IIW dog
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute But what about other protocols? SMTP / IMAP / SSH etc. Application Passwords ā€¦
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute PAM Module for OpenID Connect SMTP IMAP SSH PAM OIDC Plugin OpenID Connect Server Thunde rbrid Web Browse r Token Token as Password Token Introspection
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Make sure to follow verification rules ā€¢ Some implementation were bitten by not following MUSTs. Never send an access token without accompanying ID Token to any other clients. ā€¢ Otherwise, you will be subject to token swap attack. ā€¢ http://www.thread-safe.com/2012/01/problem-with-oauth-for- authentication.html Care should be taken for ā€œcodeā€ and ā€œtokenā€ server- side verification ā€¢ Maybe not so acute in most enterprise deployment, but in one of the consumer solution that we help run, it is doing 2000 tr/sec
Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute 36

Recommended

OpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WGOpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WG
Nat Sakimura
Ā 
FAPI and beyond - ć‚ˆć‚Šć‚ˆć„ć‚»ć‚­ćƒ„ćƒŖćƒ†ć‚£ć®ćŸć‚ć«
FAPI and beyond - ć‚ˆć‚Šć‚ˆć„ć‚»ć‚­ćƒ„ćƒŖćƒ†ć‚£ć®ćŸć‚ć«FAPI and beyond - ć‚ˆć‚Šć‚ˆć„ć‚»ć‚­ćƒ„ćƒŖćƒ†ć‚£ć®ćŸć‚ć«
FAPI and beyond - ć‚ˆć‚Šć‚ˆć„ć‚»ć‚­ćƒ„ćƒŖćƒ†ć‚£ć®ćŸć‚ć«
Nat Sakimura
Ā 
OpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the FutureOpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the Future
Nat Sakimura
Ā 
170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English Translation170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English Translation
Nat Sakimura
Ā 
Introduction to ā€Øthe FAPI Read & Write OAuth Profile - Jan 2018 Updates
Introduction to ā€Øthe FAPI Read & Write OAuth Profile - Jan 2018 UpdatesIntroduction to ā€Øthe FAPI Read & Write OAuth Profile - Jan 2018 Updates
Introduction to ā€Øthe FAPI Read & Write OAuth Profile - Jan 2018 Updates
Nat Sakimura
Ā 
Introduction to the FAPI Read & Write OAuth Profile
Introduction to the FAPI Read & Write OAuth ProfileIntroduction to the FAPI Read & Write OAuth Profile
Introduction to the FAPI Read & Write OAuth Profile
Nat Sakimura
Ā 
金融 API ę™‚ä»£ć®ć‚»ć‚­ćƒ„ćƒŖćƒ†ć‚£: OpenID Financial API (FAPI) WG
金融 API ę™‚ä»£ć®ć‚»ć‚­ćƒ„ćƒŖćƒ†ć‚£: OpenID Financial API (FAPI) WG金融 API ę™‚ä»£ć®ć‚»ć‚­ćƒ„ćƒŖćƒ†ć‚£: OpenID Financial API (FAPI) WG
金融 API ę™‚ä»£ć®ć‚»ć‚­ćƒ„ćƒŖćƒ†ć‚£: OpenID Financial API (FAPI) WG
Nat Sakimura
Ā 
惖惭惃ć‚Æćƒć‚§ćƒ¼ćƒ³ć€œäæ”é ¼ć®ęŗę³‰ć®ę°‘äø»åŒ–ć®ć‚‚ćŸć‚‰ć™å¤‰é©
惖惭惃ć‚Æćƒć‚§ćƒ¼ćƒ³ć€œäæ”é ¼ć®ęŗę³‰ć®ę°‘äø»åŒ–ć®ć‚‚ćŸć‚‰ć™å¤‰é©ćƒ–ćƒ­ćƒƒć‚Æćƒć‚§ćƒ¼ćƒ³ć€œäæ”é ¼ć®ęŗę³‰ć®ę°‘äø»åŒ–ć®ć‚‚ćŸć‚‰ć™å¤‰é©
惖惭惃ć‚Æćƒć‚§ćƒ¼ćƒ³ć€œäæ”é ¼ć®ęŗę³‰ć®ę°‘äø»åŒ–ć®ć‚‚ćŸć‚‰ć™å¤‰é©
Nat Sakimura
Ā 

Recommended

OpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WGOpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WG
Nat Sakimura
Ā 
FAPI and beyond - ć‚ˆć‚Šć‚ˆć„ć‚»ć‚­ćƒ„ćƒŖćƒ†ć‚£ć®ćŸć‚ć«
FAPI and beyond - ć‚ˆć‚Šć‚ˆć„ć‚»ć‚­ćƒ„ćƒŖćƒ†ć‚£ć®ćŸć‚ć«FAPI and beyond - ć‚ˆć‚Šć‚ˆć„ć‚»ć‚­ćƒ„ćƒŖćƒ†ć‚£ć®ćŸć‚ć«
FAPI and beyond - ć‚ˆć‚Šć‚ˆć„ć‚»ć‚­ćƒ„ćƒŖćƒ†ć‚£ć®ćŸć‚ć«
Nat Sakimura
Ā 
OpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the FutureOpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the Future
Nat Sakimura
Ā 
170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English Translation170724 JP/UK Open Banking Summit English Translation
170724 JP/UK Open Banking Summit English Translation
Nat Sakimura
Ā 
Introduction to ā€Øthe FAPI Read & Write OAuth Profile - Jan 2018 Updates
Introduction to ā€Øthe FAPI Read & Write OAuth Profile - Jan 2018 UpdatesIntroduction to ā€Øthe FAPI Read & Write OAuth Profile - Jan 2018 Updates
Introduction to ā€Øthe FAPI Read & Write OAuth Profile - Jan 2018 Updates
Nat Sakimura
Ā 
Introduction to the FAPI Read & Write OAuth Profile
Introduction to the FAPI Read & Write OAuth ProfileIntroduction to the FAPI Read & Write OAuth Profile
Introduction to the FAPI Read & Write OAuth Profile
Nat Sakimura
Ā 
金融 API ę™‚ä»£ć®ć‚»ć‚­ćƒ„ćƒŖćƒ†ć‚£: OpenID Financial API (FAPI) WG
金融 API ę™‚ä»£ć®ć‚»ć‚­ćƒ„ćƒŖćƒ†ć‚£: OpenID Financial API (FAPI) WG金融 API ę™‚ä»£ć®ć‚»ć‚­ćƒ„ćƒŖćƒ†ć‚£: OpenID Financial API (FAPI) WG
金融 API ę™‚ä»£ć®ć‚»ć‚­ćƒ„ćƒŖćƒ†ć‚£: OpenID Financial API (FAPI) WG
Nat Sakimura
Ā 
惖惭惃ć‚Æćƒć‚§ćƒ¼ćƒ³ć€œäæ”é ¼ć®ęŗę³‰ć®ę°‘äø»åŒ–ć®ć‚‚ćŸć‚‰ć™å¤‰é©
惖惭惃ć‚Æćƒć‚§ćƒ¼ćƒ³ć€œäæ”é ¼ć®ęŗę³‰ć®ę°‘äø»åŒ–ć®ć‚‚ćŸć‚‰ć™å¤‰é©ćƒ–ćƒ­ćƒƒć‚Æćƒć‚§ćƒ¼ćƒ³ć€œäæ”é ¼ć®ęŗę³‰ć®ę°‘äø»åŒ–ć®ć‚‚ćŸć‚‰ć™å¤‰é©
惖惭惃ć‚Æćƒć‚§ćƒ¼ćƒ³ć€œäæ”é ¼ć®ęŗę³‰ć®ę°‘äø»åŒ–ć®ć‚‚ćŸć‚‰ć™å¤‰é©
Nat Sakimura
Ā 
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...
Nat Sakimura
Ā 
OpenID Foundation FAPI WG: June 2017 Update
OpenID Foundation FAPI WG: June 2017 UpdateOpenID Foundation FAPI WG: June 2017 Update
OpenID Foundation FAPI WG: June 2017 Update
Nat Sakimura
Ā 
API Days 2016 Day 1: OpenID Financial API WG
API Days 2016 Day 1: OpenID Financial API WGAPI Days 2016 Day 1: OpenID Financial API WG
API Days 2016 Day 1: OpenID Financial API WG
Nat Sakimura
Ā 
Financial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID ConnectFinancial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID Connect
Nat Sakimura
Ā 
OpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WGOpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WG
Nat Sakimura
Ā 
車č¼ŖćÆäøø恏ćŖć£ćŸć‹ļ¼Ÿ~惇ć‚øć‚æćƒ«ćƒ»ć‚¢ć‚¤ćƒ‡ćƒ³ćƒ†ć‚£ćƒ†ć‚£ć®ęؙęŗ–化動向ćØćć®ć‚“ćƒ¼ćƒ«
車č¼ŖćÆäøø恏ćŖć£ćŸć‹ļ¼Ÿ~惇ć‚øć‚æćƒ«ćƒ»ć‚¢ć‚¤ćƒ‡ćƒ³ćƒ†ć‚£ćƒ†ć‚£ć®ęؙęŗ–化動向ćØćć®ć‚“ćƒ¼ćƒ«č»Šč¼ŖćÆäøø恏ćŖć£ćŸć‹ļ¼Ÿ~惇ć‚øć‚æćƒ«ćƒ»ć‚¢ć‚¤ćƒ‡ćƒ³ćƒ†ć‚£ćƒ†ć‚£ć®ęؙęŗ–化動向ćØćć®ć‚“ćƒ¼ćƒ«
車č¼ŖćÆäøø恏ćŖć£ćŸć‹ļ¼Ÿ~惇ć‚øć‚æćƒ«ćƒ»ć‚¢ć‚¤ćƒ‡ćƒ³ćƒ†ć‚£ćƒ†ć‚£ć®ęؙęŗ–化動向ćØćć®ć‚“ćƒ¼ćƒ«
Nat Sakimura
Ā 
OAuth SPOP @ IETF 91
OAuth SPOP @ IETF 91OAuth SPOP @ IETF 91
OAuth SPOP @ IETF 91
Nat Sakimura
Ā 
Oidc how it solves your problems
Oidc how it solves your problemsOidc how it solves your problems
Oidc how it solves your problems
Nat Sakimura
Ā 
Transient client secret extension
Transient client secret extensionTransient client secret extension
Transient client secret extension
Nat Sakimura
Ā 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
Ā 
Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604
Nat Sakimura
Ā 
Smartphone Native Application OP
Smartphone Native Application OPSmartphone Native Application OP
Smartphone Native Application OP
Nat Sakimura
Ā 
Open idćØcyberē©ŗ間
Open idćØcyberē©ŗ間Open idćØcyberē©ŗ間
Open idćØcyberē©ŗ間
Nat Sakimura
Ā 
ć‚µć‚¤ćƒćƒ¼ē©ŗ間äøŠć®äæ”é ¼ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚ÆćØćƒ‘ćƒ¼ć‚½ćƒŠćƒ«ćƒ‡ćƒ¼ć‚æēµŒęøˆ
ć‚µć‚¤ćƒćƒ¼ē©ŗ間äøŠć®äæ”é ¼ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚ÆćØćƒ‘ćƒ¼ć‚½ćƒŠćƒ«ćƒ‡ćƒ¼ć‚æēµŒęøˆć‚µć‚¤ćƒćƒ¼ē©ŗ間äøŠć®äæ”é ¼ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚ÆćØćƒ‘ćƒ¼ć‚½ćƒŠćƒ«ćƒ‡ćƒ¼ć‚æēµŒęøˆ
ć‚µć‚¤ćƒćƒ¼ē©ŗ間äøŠć®äæ”é ¼ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚ÆćØćƒ‘ćƒ¼ć‚½ćƒŠćƒ«ćƒ‡ćƒ¼ć‚æēµŒęøˆ
Nat Sakimura
Ā 
Closing Note
Closing NoteClosing Note
Closing Note
Nat Sakimura
Ā 
20110706 PIDS惗惭ć‚ø悧ć‚Æ惈äø­é–“報告
20110706 PIDS惗惭ć‚ø悧ć‚Æ惈äø­é–“報告20110706 PIDS惗惭ć‚ø悧ć‚Æ惈äø­é–“報告
20110706 PIDS惗惭ć‚ø悧ć‚Æ惈äø­é–“報告
Nat Sakimura
Ā 
Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011
Nat Sakimura
Ā 
å›½ę°‘ID制åŗ¦ćØćƒˆćƒ©ć‚¹ćƒˆćƒ»ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚Æ
å›½ę°‘ID制åŗ¦ćØćƒˆćƒ©ć‚¹ćƒˆćƒ»ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚Æå›½ę°‘ID制åŗ¦ćØćƒˆćƒ©ć‚¹ćƒˆćƒ»ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚Æ
å›½ę°‘ID制åŗ¦ćØćƒˆćƒ©ć‚¹ćƒˆćƒ»ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚Æ
Nat Sakimura
Ā 
Introduction to OpenID TX proposed extension
Introduction to OpenID TX proposed extensionIntroduction to OpenID TX proposed extension
Introduction to OpenID TX proposed extension
Nat Sakimura
Ā 
Sharing the Success of OpenID Japan Success
Sharing the Success of OpenID Japan SuccessSharing the Success of OpenID Japan Success
Sharing the Success of OpenID Japan Success
Nat Sakimura
Ā 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
Ā 
Salesforce Adoption ā€“ Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption ā€“ Metrics, Methods, and Motivation, Antone KomSalesforce Adoption ā€“ Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption ā€“ Metrics, Methods, and Motivation, Antone Kom
CzechDreamin
Ā 

More Related Content

More from Nat Sakimura

車č¼ŖćÆäøø恏ćŖć£ćŸć‹ļ¼Ÿ~惇ć‚øć‚æćƒ«ćƒ»ć‚¢ć‚¤ćƒ‡ćƒ³ćƒ†ć‚£ćƒ†ć‚£ć®ęؙęŗ–化動向ćØćć®ć‚“ćƒ¼ćƒ«
車č¼ŖćÆäøø恏ćŖć£ćŸć‹ļ¼Ÿ~惇ć‚øć‚æćƒ«ćƒ»ć‚¢ć‚¤ćƒ‡ćƒ³ćƒ†ć‚£ćƒ†ć‚£ć®ęؙęŗ–化動向ćØćć®ć‚“ćƒ¼ćƒ«č»Šč¼ŖćÆäøø恏ćŖć£ćŸć‹ļ¼Ÿ~惇ć‚øć‚æćƒ«ćƒ»ć‚¢ć‚¤ćƒ‡ćƒ³ćƒ†ć‚£ćƒ†ć‚£ć®ęؙęŗ–化動向ćØćć®ć‚“ćƒ¼ćƒ«
車č¼ŖćÆäøø恏ćŖć£ćŸć‹ļ¼Ÿ~惇ć‚øć‚æćƒ«ćƒ»ć‚¢ć‚¤ćƒ‡ćƒ³ćƒ†ć‚£ćƒ†ć‚£ć®ęؙęŗ–化動向ćØćć®ć‚“ćƒ¼ćƒ«
Nat Sakimura
Ā 
Oidc how it solves your problems
Oidc how it solves your problemsOidc how it solves your problems
Oidc how it solves your problems
Nat Sakimura
Ā 
Transient client secret extension
Transient client secret extensionTransient client secret extension
Transient client secret extension
Nat Sakimura
Ā 
Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604
Nat Sakimura
Ā 
Open idćØcyberē©ŗ間
Open idćØcyberē©ŗ間Open idćØcyberē©ŗ間
Open idćØcyberē©ŗ間
Nat Sakimura
Ā 
Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011
Nat Sakimura
Ā 

More from Nat Sakimura (20)

Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...
Ā 
OpenID Foundation FAPI WG: June 2017 Update
OpenID Foundation FAPI WG: June 2017 UpdateOpenID Foundation FAPI WG: June 2017 Update
OpenID Foundation FAPI WG: June 2017 Update
Ā 
API Days 2016 Day 1: OpenID Financial API WG
API Days 2016 Day 1: OpenID Financial API WGAPI Days 2016 Day 1: OpenID Financial API WG
API Days 2016 Day 1: OpenID Financial API WG
Ā 
Financial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID ConnectFinancial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID Connect
Ā 
OpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WGOpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WG
Ā 
車č¼ŖćÆäøø恏ćŖć£ćŸć‹ļ¼Ÿ~惇ć‚øć‚æćƒ«ćƒ»ć‚¢ć‚¤ćƒ‡ćƒ³ćƒ†ć‚£ćƒ†ć‚£ć®ęؙęŗ–化動向ćØćć®ć‚“ćƒ¼ćƒ«
車č¼ŖćÆäøø恏ćŖć£ćŸć‹ļ¼Ÿ~惇ć‚øć‚æćƒ«ćƒ»ć‚¢ć‚¤ćƒ‡ćƒ³ćƒ†ć‚£ćƒ†ć‚£ć®ęؙęŗ–化動向ćØćć®ć‚“ćƒ¼ćƒ«č»Šč¼ŖćÆäøø恏ćŖć£ćŸć‹ļ¼Ÿ~惇ć‚øć‚æćƒ«ćƒ»ć‚¢ć‚¤ćƒ‡ćƒ³ćƒ†ć‚£ćƒ†ć‚£ć®ęؙęŗ–化動向ćØćć®ć‚“ćƒ¼ćƒ«
車č¼ŖćÆäøø恏ćŖć£ćŸć‹ļ¼Ÿ~惇ć‚øć‚æćƒ«ćƒ»ć‚¢ć‚¤ćƒ‡ćƒ³ćƒ†ć‚£ćƒ†ć‚£ć®ęؙęŗ–化動向ćØćć®ć‚“ćƒ¼ćƒ«
Ā 
OAuth SPOP @ IETF 91
OAuth SPOP @ IETF 91OAuth SPOP @ IETF 91
OAuth SPOP @ IETF 91
Ā 
Oidc how it solves your problems
Oidc how it solves your problemsOidc how it solves your problems
Oidc how it solves your problems
Ā 
Transient client secret extension
Transient client secret extensionTransient client secret extension
Transient client secret extension
Ā 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Ā 
Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604
Ā 
Smartphone Native Application OP
Smartphone Native Application OPSmartphone Native Application OP
Smartphone Native Application OP
Ā 
Open idćØcyberē©ŗ間
Open idćØcyberē©ŗ間Open idćØcyberē©ŗ間
Open idćØcyberē©ŗ間
Ā 
ć‚µć‚¤ćƒćƒ¼ē©ŗ間äøŠć®äæ”é ¼ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚ÆćØćƒ‘ćƒ¼ć‚½ćƒŠćƒ«ćƒ‡ćƒ¼ć‚æēµŒęøˆ
ć‚µć‚¤ćƒćƒ¼ē©ŗ間äøŠć®äæ”é ¼ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚ÆćØćƒ‘ćƒ¼ć‚½ćƒŠćƒ«ćƒ‡ćƒ¼ć‚æēµŒęøˆć‚µć‚¤ćƒćƒ¼ē©ŗ間äøŠć®äæ”é ¼ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚ÆćØćƒ‘ćƒ¼ć‚½ćƒŠćƒ«ćƒ‡ćƒ¼ć‚æēµŒęøˆ
ć‚µć‚¤ćƒćƒ¼ē©ŗ間äøŠć®äæ”é ¼ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚ÆćØćƒ‘ćƒ¼ć‚½ćƒŠćƒ«ćƒ‡ćƒ¼ć‚æēµŒęøˆ
Ā 
Closing Note
Closing NoteClosing Note
Closing Note
Ā 
20110706 PIDS惗惭ć‚ø悧ć‚Æ惈äø­é–“報告
20110706 PIDS惗惭ć‚ø悧ć‚Æ惈äø­é–“報告20110706 PIDS惗惭ć‚ø悧ć‚Æ惈äø­é–“報告
20110706 PIDS惗惭ć‚ø悧ć‚Æ惈äø­é–“報告
Ā 
Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011
Ā 
å›½ę°‘ID制åŗ¦ćØćƒˆćƒ©ć‚¹ćƒˆćƒ»ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚Æ
å›½ę°‘ID制åŗ¦ćØćƒˆćƒ©ć‚¹ćƒˆćƒ»ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚Æå›½ę°‘ID制åŗ¦ćØćƒˆćƒ©ć‚¹ćƒˆćƒ»ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚Æ
å›½ę°‘ID制åŗ¦ćØćƒˆćƒ©ć‚¹ćƒˆćƒ»ćƒ•ćƒ¬ćƒ¼ćƒ ćƒÆćƒ¼ć‚Æ
Ā 
Introduction to OpenID TX proposed extension
Introduction to OpenID TX proposed extensionIntroduction to OpenID TX proposed extension
Introduction to OpenID TX proposed extension
Ā 
Sharing the Success of OpenID Japan Success
Sharing the Success of OpenID Japan SuccessSharing the Success of OpenID Japan Success
Sharing the Success of OpenID Japan Success
Ā 

Recently uploaded

A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
UXDXConf
Ā 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
Femke de Vroome
Ā 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
Ā 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
Expeed Software
Ā 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
Ā 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
UXDXConf
Ā 
Transforming The New York Times: Empowering Evolution through UX
Transforming The New York Times: Empowering Evolution through UXTransforming The New York Times: Empowering Evolution through UX
Transforming The New York Times: Empowering Evolution through UX
UXDXConf
Ā 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
Ā 

Recently uploaded (20)

Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Ā 
Salesforce Adoption ā€“ Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption ā€“ Metrics, Methods, and Motivation, Antone KomSalesforce Adoption ā€“ Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption ā€“ Metrics, Methods, and Motivation, Antone Kom
Ā 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
Ā 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
Ā 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
Ā 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
Ā 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
Ā 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Ā 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
Ā 
Exploring UiPath Orchestrator API: updates and limits in 2024 šŸš€
Exploring UiPath Orchestrator API: updates and limits in 2024 šŸš€Exploring UiPath Orchestrator API: updates and limits in 2024 šŸš€
Exploring UiPath Orchestrator API: updates and limits in 2024 šŸš€
Ā 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
Ā 
Intelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdfIntelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdf
Ā 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Ā 
SOQL 201 for Admins & Developers: Slice & Dice Your Orgā€™s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Orgā€™s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Orgā€™s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Orgā€™s Data With Aggregate...
Ā 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
Ā 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
Ā 
AI revolution and Salesforce, JiÅ™Ć­ KarpĆ­Å”ek
AI revolution and Salesforce, JiÅ™Ć­ KarpĆ­Å”ekAI revolution and Salesforce, JiÅ™Ć­ KarpĆ­Å”ek
AI revolution and Salesforce, JiÅ™Ć­ KarpĆ­Å”ek
Ā 
Transforming The New York Times: Empowering Evolution through UX
Transforming The New York Times: Empowering Evolution through UXTransforming The New York Times: Empowering Evolution through UX
Transforming The New York Times: Empowering Evolution through UX
Ā 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
Ā 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
Ā 

OpenID Connect - how it solves enterprise problems

  • 1. Nomura Research Institute Cloud Identity Summit 2013 OpenID Connect: How it solves your problems July 10, 2013 Nat Sakimura Nomura Research Institute Chairman, The OpenID Foundation @_nat_en http://nat.sakimura.org/
  • 2. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute B2E Identity B2C Identity G2C Identity (source of pictures)Microsoft Office Online G2E Identity
  • 3. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute "Why OpenID Connect is relevant for us enterprise? It's a consumer technology, is it not?"
  • 4. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Not quite. because I have very enterprizy backgroundā€¦
  • 5. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute OpenID Connect was built with Enterprise use in mind (as well as consumer use); helps you build effective access governance over cloud services
  • 6. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute What are the de facto federation and account provisioning protocols?
  • 7. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Identity Federation ā€¢SAML? Account Provisioning ā€¢SPML?
  • 8. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute
  • 9. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Identity Federation ā€¢Password Sharing Account Provisioning ā€¢Custom CSV
  • 10. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Why did we fail?
  • 11. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute ļ®Too complex to understand. ļ¬cognitive difficulty -> Support difficulty ļ®Different products did not interoperate. ļ¬A large Japanese manufacturer: ā–Ŗ > 3000 partners all around the world ā–Ŗ Many of them were working with multiple companies ā–Ŗ Tried to create a SAML federation but failed.
  • 12. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute CSV is easy. ā€¢ Hey, you just need Excel! And you can manually edit them! Password Sharing is easy. ā€¢ Hey, it works on any application that supports password!
  • 13. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Lots of (hidden) problemsā€¦
  • 14. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute ļ®Anything that more than 3 people knows is not a secret! ļ®Can easily get out of sync. ļ®Allowing manual edit is a risk. ļ®De-provisioning? Archiving? ļ®Are you getting audit trail of the access to those systems? etcā€¦
  • 15. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute #fail
  • 16. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Letā€™s re-do. This time, dead simple. Yes, we are reinventing a wheel, but This time, it will be a little rounder.
  • 17. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute OpenID Connect & SCIM
  • 18. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute SAML v.s. OpenID Connect SAML Web SSO OpenID Connect XML JSON XML Dsig JSON Web Signature (JWS) XML Encryption JSON Web Encryption (JWE) SAML JSON Web Token SAML Assertion ID Token (OIDC) SOAP (mostlyā€¦) REST SAML Web SSO Profile Standard (=OAuth 2.0 binding) SPML SCIM
  • 19. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute identity set of attributes related to an entity ISO/IEC 29115 | ITU-T X.1254 Note: distinguish identity and identifier carefully.
  • 20. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute An example of simplistic enterprise ā€œidentityā€ Employee number: A12349898 Name: John Smith Position: General Manager Department: Finance Company: ABCD Holding Location: NYHQ Datetime: 29130809T12:34:11Z
  • 21. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Employee number: A12349898 Name: John Smith Position: General Manager Department: Finance Company: ABCD Holding Location: NYHQ Datetime: 29130809T12:34:11Z logging User interface Access Contro info
  • 22. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication Policy Enforcement Rules
  • 23. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute ABAC Based on SP800-162 figure on page viii identity Resource Rules entity
  • 24. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication PEP PDP PAP Boss Metadata Log Log
  • 25. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Requirements R1 ā€¢ Access Control MUST be done with the dynamic attributes R2 ā€¢ Identity MUST be provided from the authoritative source R3 ā€¢ Need to be able to provide flexible security. R4 ā€¢ Need to be dead simple. R5 ā€¢ Interoperability is the king. R6 ā€¢ Limited connection (esp. mobile) ready. R7 ā€¢ Unified technology for enterprise and consumer.
  • 26. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication PEP PDP PAP Boss Metadata Log Log
  • 27. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Deployment Experiences of OpenID Connect
  • 28. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute What kind of deployment have we done? Windows Domain integration SMTP/IMAP/SSH & OpenID Connect A large provider integration Privacy Proxy
  • 29. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Windows Domain Integration AD Connect Server Access Log Service Servic e Service Service Registration Discovery HR System
  • 30. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Easy to implement ā€¢ Building was easy; ā€¢ Deployment was easy partly because you can ā€œprovisionā€ the linked accounts; Nice user experience for enterprise users ā€¢ No login dialogues; Leverage on Windows Logon; ā€¢ No consent ā€“ as it is administered by the admin, and it is following privacy rules; ā€¢ Help Avoid ā€œPavlovā€™s Dog Problemā€
  • 31. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Turning Internet Dog to Pavlovā€™s Dog 32 (Source) Based on IIW dog
  • 32. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute But what about other protocols? SMTP / IMAP / SSH etc. Application Passwords ā€¦
  • 33. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute PAM Module for OpenID Connect SMTP IMAP SSH PAM OIDC Plugin OpenID Connect Server Thunde rbrid Web Browse r Token Token as Password Token Introspection
  • 34. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute Make sure to follow verification rules ā€¢ Some implementation were bitten by not following MUSTs. Never send an access token without accompanying ID Token to any other clients. ā€¢ Otherwise, you will be subject to token swap attack. ā€¢ http://www.thread-safe.com/2012/01/problem-with-oauth-for- authentication.html Care should be taken for ā€œcodeā€ and ā€œtokenā€ server- side verification ā€¢ Maybe not so acute in most enterprise deployment, but in one of the consumer solution that we help run, it is doing 2000 tr/sec
  • 35. Ā© 2013 by Nomura Research Institute. All rights reserved. Nomura Research Institute 36