Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished Engineer, CA Technologies @ Gartner AADI

1,150 views

Published on

Identity on the Internet is changing. Social networking has kicked off a massive change in how we integrate identity across applications. This is much more than a simple redesign of security tokens and protocols; instead it is a radical redistribution of power and control over entitlements, shifting it away from the centralized control of a cabal of directory engineers and out to the users themselves.
There are compelling reasons for this shift: it enables scaling of identity administration, and it promotes rapid and agile integration of applications. These are goals shared by the enterprise, but this change has significant implications on infrastructure, people and process. Join us to learn how you can bring modern identity management into the enterprise.

  • Be the first to comment

  • Be the first to like this

Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished Engineer, CA Technologies @ Gartner AADI

  1. 1. Managing Iden*ty By Giving Up Control K Sco9 Morrison Dis*nguished Engineer December 2014
  2. 2. How Many Passwords Do You Have?
  3. 3. The Italian Solu*on 3 © 2014 CA. ALL RIGHTS RESERVED.
  4. 4. How Do We Cope With Iden8ty Prolifera8on? 4 © 2014 CA. ALL RIGHTS RESERVED.
  5. 5. 5 Here Is The Tradi8onal Approach For Providing Iden8ty and Access Management (IAM) Classic Centralized Control © 2014 CA. ALL RIGHTS RESERVED. Identity is managed centrally Ø Formal and hierarchal Ø Geared toward employees Enterprise Network … Firewall Employee Directory Applications and Data ß IAM
  6. 6. This Extends Naturally To SSO 6 © 2014 CA. ALL RIGHTS RESERVED. Enterprise Network … Identity is still managed centrally Ø Formal and hierarchal Ø Administration of trust Firewall Applications and Data ß IdP IAM ß Employee Trust
  7. 7. 7 Enterprise Internal Network © 2014 CA. ALL RIGHTS RESERVED. Classic Federa8on Message + Security Token Principal Trading Partner
  8. 8. 8 © 2014 CA. ALL RIGHTS RESERVED. PaOern #1: SAML-­‐based Federa6on IdP Service Provider Data Authen*cate Acquire SAML token 1) Note that this demonstrates SAML browser POST profile. The ar8fact profile is harder to do through corporate firewalls Message + SAML 2) Principal
  9. 9. What Does It Mean To Have An Account? 9 © 2014 CA. ALL RIGHTS RESERVED. Directory Data & Objects App Server There is always something associated with an ID
  10. 10. What We Really Have Is A Synchroniza8on Problem 10 © 2014 CA. ALL RIGHTS RESERVED. Trading Partner Firewall Objects Partner Identities Enterprise Directory
  11. 11. High Administra8ve Burden 11 © 2014 CA. ALL RIGHTS RESERVED. Trading Partner Admin Principal Directory IDP Very Centralized Control ü Lots of ceremony ü Hard to set up ü Hard to maintain ü Self-service is tricky and implementation specific Relying Party
  12. 12. It is 2014. And We Have A Problem…
  13. 13. The Channel Explosion in Modern Business Tradi*onal IAM struggles to meet this challenge Cloud Mobile Devices 13 No Unified Access Model ü For employees ü For contractors ü For partners ü For apps, devices & machines ü For ? © 2014 CA. ALL RIGHTS RESERVED. Applications and Data Enterprise Network … Partners API/Service Client Laptop
  14. 14. 14 © 2014 CA. ALL RIGHTS RESERVED. Iden*ty Is Approaching Cri*cal Mass “People Have Iden3ty” Average Number Of Online IDs 26 Ave Number of Facebook Friends 336 Today Internet Users 2.4B “Things Have Iden3ty” Things 2020 Phones, Tablets and Laptops 7.3B 26.0 B Internet users Internet World Stats Q1 2012: h9p://www.internetworldstats.com/stats.htm Internet accounts Experian July 2012: h9p://www.bbc.com/news/technology-­‐18866347 Facebook Pew Research: h9p://www.pewresearch.org/fact-­‐tank/2014/02/03/6-­‐new-­‐facts-­‐about-­‐facebook/
  15. 15. Diversity!
  16. 16. Speed!
  17. 17. Look To Social Networking For Inspira8on 17 © 2014 CA. ALL RIGHTS RESERVED.
  18. 18. Conceptually Here Is What Happens 18 © 2014 CA. ALL RIGHTS RESERVED. 1. User posts new tweet 2. Twi>er posts tweet to Facebook on user’s behalf User ScoO TwiOer Facebook
  19. 19. A Bad First AOempt: Stored Passwords This is the “password an*-­‐pa9ern” 19 © 2014 CA. ALL RIGHTS RESERVED. User ScoO Send in Facebook Password Twi9er uses Facebook Password
  20. 20. 20 © 2014 CA. ALL RIGHTS RESERVED. OK, So Let’s Try SAML User ScoO Sco9 authen*cates using his Twi9er Password Twi9er vouches it authen*cated Sco9
  21. 21. But There Are Problems… 21 © 2014 CA. ALL RIGHTS RESERVED. User ScoO How can we associate these different representa*ons of Sco9? Where are the limits on what Twi9er can do?
  22. 22. Here’s A Smarter Approach 22 © 2014 CA. ALL RIGHTS RESERVED.
  23. 23. Security Asser8on Markup Language (SAML) 23 © 2014 CA. ALL RIGHTS RESERVED.
  24. 24. 24 © 2014 CA. ALL RIGHTS RESERVED. OAuth "access_token":"2YotnFZFEjr1zCsicMWpAA"!
  25. 25. 25 © 2014 CA. ALL RIGHTS RESERVED. ID Token (From OpenID Connect) eyJhbGciOiJSUzI1NiIsImtpZCI6IjQ4OWRmMzE3YzIyYzY3NTZkOTUyMTVk! YjQ1NTA5MjY0N2RmNWIxNmEifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY! 29tIiwiZW1haWwiOiJ0aW1icmF5QGdtYWlsLmNvbSIsImVtYWlsX3Zlcmlma! WVkIjoidHJ1ZSIsInN1YiI6IjEwNzYwNjcwMzU1ODE2MTUwNzk0NiIsImF1Z! CI6IjQwNzQwODcxODE5Mi5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsI! mF0X2hhc2giOiJyTC1jVml3OTJtYW5EUU1MdU1tTEt3IiwiYXpwIjoiNDA3N! DA4NzE4MTkyLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiaWF0IjoxM! zY1MDk5MTUxLCJleHAiOjEzNjUxMDMwNTF9.GeqJOTJSMaQjo33wxM-3f5k5! FIEADqxd3K4zS0pWgWjtqwDldbpGgmxwTytgvtXKjFu7dtZx6TUXPnDhLBti! MjtkTyPGZbm65RwG0arSLqH-iDelceDR5HDABhOBqXjsi19rdnC3TAWf5Dpe! QYZt9uSSgPseGW2wh6OO5izat48! ! Source: Tim Bray, Ongoing h9ps://www.tbray.org/ongoing/When/201x/2013/04/04/ID-­‐Tokens
  26. 26. ID Token (cont.) It’s Just A JSON Web Token (JWT) 26 {! "issuer": "accounts.google.com",! "issued_to": "407408718192.apps.googleusercontent.com",! "audience": "407408718192.apps.googleusercontent.com",! "user_id": "10315112535234507946",! "expires_in": 3089,! "issued_at": 1365099151,! "email": "example@gmail.com",! "email_verified": true! }! © 2014 CA. ALL RIGHTS RESERVED. Source: Tim Bray, Ongoing h9ps://www.tbray.org/ongoing/When/201x/2013/04/04/ID-­‐Tokens
  27. 27. Here’s How 3-­‐Legged OAuth Works 27 0A3DB28…! 0A3DB28…! © 2014 CA. ALL RIGHTS RESERVED. User ScoO OAuth Client OAuth Authoriza8on & Resource Servers 2. Sco9 authen*cates using his Facebook Password 4. Twi9er uses code to acquire access token to post tweets to Facebook 1. Sco9 authen*cates using his Twi9er Password 3. Sco9 grants Twi9er limited capabili*es on Facebook
  28. 28. Here’s What It Looks Like When We’re Done 28 © 2014 CA. ALL RIGHTS RESERVED. Sco9 posts tweet User ScoO Tweet plus access token authorizing Twi9er to post for Sco9 OAuth Client OAuth Authoriza8on & Resource Servers I’m in Las Vegas at Gartner AADI I’m in Las Vegas at Gartner AADI
  29. 29. But OAuth Also Enables NASCAR-­‐style Sign On 29 © 2014 CA. ALL RIGHTS RESERVED. Taken from sears.com
  30. 30. 30 This demonstrates: grant-type=authorization_code! ! Note the user never sees the access token, only the client sees it. The user’s session must be managed using other means (eg: session cookie, etc) © 2014 CA. ALL RIGHTS RESERVED. Data Let’s Call This PaOern #2: Social Sign-­‐On OAuth Authoriza8on Server OAuth Client User Authen*cate Get Code Validate Code Get Access Token 1) 3) 2) Pass code to client
  31. 31. This Is Actually A Profound Shib In Iden8ty Mgmt The Old Enterprise The New Hybrid Enterprise 31 © 2014 CA. ALL RIGHTS RESERVED. This is the secret to achieving scale and agile federa3on
  32. 32. What is Really Different Here? 32 © 2014 CA. ALL RIGHTS RESERVED. • Integra8on with simple RESTful APIs • Very loose coupling • Very low ceremony • Very loose rela8onships driven by caller • Client to authoriza*on server • User to client This all adds up to a distribu3on of responsibility that scales with the number of users
  33. 33. But We’re Not Quite At Federa8on 33 © 2014 CA. ALL RIGHTS RESERVED. • We have simple Single Sign-­‐On • But what about aOributes? <saml:AttributeStatement> ! <saml:Attribute FriendlyName="fooAttrib" Name="SFDC_USERNAME" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> ! <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> user101@salesforce.com </saml:AttributeValue> ! </saml:Attribute> ! </saml:AttributeStatement>! From: h9p://login.salesforce.com/help/doc/en/sso_saml_asser*on_examples.htm
  34. 34. This Is The Job Of OpenID Connect 34 © 2014 CA. ALL RIGHTS RESERVED. OpenID Connect Endpoint OAuth Client User Call to UserInfo endpoint for specific scope JSON structured a9ribute list of claims Eg: User’s email, First name, Last name, etc
  35. 35. But we s*ll have a registra*on problem This is obviously an enterprise problem, not an individual problem 35 © 2014 CA. ALL RIGHTS RESERVED. We’re Almost There Remember our earlier point about what cons*tutes an Authoriza8on Server Client Provisioning of new users They may already exist here “account”
  36. 36. This Is The What SCIM Is For SCIM defines user/group schema and REST endpoints for CRUD 36 © 2014 CA. ALL RIGHTS RESERVED. API for user management Authoriza8on Server Client Create New Users SCIM stands for: System for Cross-­‐domain Iden3ty Management Enterprise Administrator
  37. 37. Each Approach Has Its Merits • SAML Choose SAML or OAuth based on opera*onal goals 37 support is widespread © 2014 CA. ALL RIGHTS RESERVED. • Dominant for enterprise SSO and federa*on • Strong in passive (browser) profiles • Less strong in ac*ve (classic SOAP or newer RESTful APIs) profiles • Lots of central administra*on and federa*on ceremony • OAuth/OpenID Connect is growing very fast • OAuth owns RESTful APIs • The world is not just about browsers any longer • Think about rise of mobile apps • Fast to integrate, with no need to engage par*es • Irresis*ble delega*on model • Poten*al brand, regulatory, or organiza*onal issues with social login
  38. 38. 38 © 2014 CA. ALL RIGHTS RESERVED. Summary • SAML is not going away • Your exis*ng investment is safe • It will con*nue to play a huge role in web-­‐based federa*on • But OAuth+OpenID Connect+SCIM is coming on very strong • Driven by rise of APIs and mobile devices • Don’t let anyone tell you OAuth is just another auth token scheme • It really represents a ship in power and authority
  39. 39. K. ScoO Morrison SVP & Dis*nguished Engineer Sco9.Morrison@ca.com @KSco9Morrison slideshare.net/CAinc linkedin.com/KSco9Morrison ca.com

×