This document provides an overview of common standards used for cloud identity management, including SAML, OAuth, SCIM, and JWT. It describes how each standard addresses aspects of authentication, authorization, and user provisioning. The document also discusses some ways these standards can be combined, such as using SCIM for user provisioning and SAML assertions for single sign-on authentication, or carrying SCIM user profiles within SAML messages. It acknowledges challenges around mapping complex SCIM schemas to SAML's attribute model and notes that further work is needed to fully define interoperability between the standards.

1. A recipe for standards-based Cloud IdM
Paul Madsen
@paulmadsen

2. 2

3. 3

4. 4

5. 5

6. Ingredients
SAML
OAuth
SCIM
JWT
6

7. Ingredients
• Small number of ingredients can
be composed to create useful &
tasty dishes
• SCIM, SAML, OAuth, and JWT
provide a standards based
framework for cloud identity
recipes

8. (Gross) Oversimplications
• SAML – SSO for enterprise & cloud
web apps
• OAuth – authn & authz for RESTful
APIs
• SCIM – RESTful (and viable!) user
provisioning
• JWT – JSON-based SAML
assertions

9. SAML
SCIM OAuth
JWT

10. SAML
SCIM OAuth
JWT

11. SCIM & SAML
• SCIM API messages to provision accounts for
subsequent SAML SSO
• SAML binding for SCIM
• Carry SCIM instance as attributes in SAML SSO
message
• Alternaitve to a distinct CRUD operation using the
SCIM RESTful protocol
• Enables JIT provisioning

12. SCIM & SAML
<saml:AttributeStatementxmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:scim="http://placeholder.scim.org/2011/schema/extension">
<saml:AttributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:unspecified" Name="SCIM.userName">
<saml:AttributeValuexmlns:xsi="http://www.w3.org/2001/XMLSchema-
instance" xsi:type="xs:string">bjensen@example.com
</saml:AttributeValue>
</saml:Attribute>
<saml:AttributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:unspecified" Name="SCIM.name.formatted">
<saml:AttributeValuexmlns:xsi="http://www.w3.org/2001/XMLSchema-
instance" xsi:type="xs:string">Ms. Babs J Jensen III
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>

13. Challenges
• Non-trivial to map SCIM attribute
schema into SAML's attribute model
• SCIM schema allows for
• Complex structures
• Multi-valued attributes
• Which is why I've been negligent in
the work

14. SAML
SCIM OAuth
JWT

15. SCIM & OAuth
1. Use SCIM to provision
account for subsequent
OAuth-based mobile access
to SaaS APIs
1. Use OAuth to secure SCIM
API calls

16. SCIM & OAuth
POST /User HTTP/1.1
Host: example.com
Accept: application/xml OAuth access token issued
Authorization: Bearer h480djs93hd8 by the SaaS to the enterprise
to use on subsequent SCIM
<?xml version="1.0" encoding="UTF-8"?> calls
<scim:User xmlns:scim="urn:scim:schemas:core:1.0">
<userName>bjensen@example.com</userName> Note difference from
<externalId>701984</externalId> archetypical OAuth
<emails> delegated authz use case
<email>
<value>bjensen@example.com</value>
<primary>true</primary>
<type>work</type>
</email>
</emails>
</scim:User>

17. SAML
SCIM OAuth
JWT

18. SAML & OAuth
SAML 'Hybrid' – carry OAuth token
OAuth
in SAML SSO messages
'Assertion profile' - use
OAuth SAML assertions within
SAML
OAuth flow. Trade assertion for
token
SAML OAuth 'Sequencing' – use SAML SSO in
order to authenticate user to AS

19. OAuth
SAML
OAuth

20. Demo
20 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.

21. Demo
21 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.

22. Demo
22 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.

23. Demo
23 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.

24. SAML
SCIM OAuth
JWT

25. 25

26. SAML & JWT & OAuth
SAML JWT Profiles assertion profile
For specific assertion
formats
Assertion profile How to use assertions
for client authentication
and as a grant type
OAuth Core protocol

27. SAML & JWT & OAuth
• Use SAML assertion or JWT for
OAuth client authentication and/or OAuth grant type
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code& code=i1WsRn1uB1& client_id=s6BhdRkqt3&
client_assertion_type=urn%3Aoasis%3Anames%sAtc%3ASAML%3A2.0%3Aassert
ion& client_assertion=PHNhbWxwOl…...ZT
Client authenticating to AS
token endpoint using assertion
rather than secret

28. SAML
OpenID
SCIM OAuth
Connect
JWT

29. OpenID Connect == JWT & OAuth & identity
•OAuth is a general mechanism to authorize API
access, OpenID Connect profiles the generic for
purposes of sharing profile information & enabling
a SSO protocol
•Uses the authz code & implicit grant types – the
pieces of OAuth optimized for user-consent
scenarios
•Leverages the authorization & token endpoints &
adds identity-based params to core OAuth
messages

30. OpenID Connect
• OpenID Provider
– Adds to OAuth 2.0 Authorization Service
• Issues id_token in addition to access_token
– Codifies a standardized Resource Services
• UserInfo Endpoint
• Relying Party
– OAuth client to the endpoints exposed by the
OpenID Provider
• Implicit Grant or Authorization Code Flows

31. Ignoring the distinction as to
whether the tokens actually
flow front-channel, or instead User Agent
back-channel after a front-
channel step
1) GET A TOKEN
AS
Client
RS
2) USE A TOKEN
Base OAuth

32. Ignoring the distinction as to
whether the tokens actually
flow front-channel, or instead User Agent
back-channel after a front-
channel step
1) GET A TOKEN
AS
Client
2) READ A TOKEN RS
3) USE A TOKEN
UserInfo
OpenID Connect
Base OAuth

33. SAML
SCIM UMA OAuth
JWT

34. UMA == OAuth + centralized authz
1. OAuth allows for pairwise app-to-app connections. UMA, in
addition, defines a hub from which many pairwise sharing
connections can be managed, controlled, and revoked.
2. OAuth solves for person-to-self sharing. UMA, in addition, solves
for secure person-to-person sharing and person-to-organization
sharing.
3. OAuth leaves unstated how its "authorization server" and
"resource server" components interact. UMA fully defines a
standard interface between its enhanced versions of these two
components, the authorization manager and host.
From UMA FAQ

36. SAML
SCIM XACML? OAuth
JWT

37. XACML?

38. Speculative
•XACML policy (a TBD JSON binding) inside a JWT???
•Extends simple scope model
•Interplay between SCIM-provisioned attributes & SaaS
XACML policies?
•RESTful authz query for XACML?
•PEP sends an access token to PDP (along with
scopes) PDP resolves token as necessary, returns
yes/no to PEP

39. AS
Issuance
PDP
y/n
Client PEP RS
39

40. Questions