SlideShare a Scribd company logo

CIS 2015 Extreme SAML - Hans Zandbelt

CloudIDSummit
CloudIDSummit

These days the SAML standard is well known and widely deployed, most often with a minimal standard set of interoperable SSO features. This session will explore lessons learned from implementing SAML beyond the ordinary, based on first-hand experience from working on a handful of SAML products, architecting 100s of SAML deployments and setting up 1000s of connections. We will take a look at non-standard features, exotic deployments, and custom implementations of SAML and how to avoid some of the common and less common pitfalls. Topics include: - the worst mistakes found in SAML implementations & deployments - advanced SAML features and how they apply in real life - how to deal with thousands of SAML connections - a peek in to the future and evolution of SAML

Technology
1 of 29
Download to read offline
Extreme SAML Hans Zandbelt
Overview 1.  Specification(s) 2.  Deployment 3.  Advanced Topics & Pitfalls 4.  Conclusions & Recommendations Copyright © 2015 Cloud Identity Summit. All rights reserved. 2
Specification(s) Copyright © 2015 Cloud Identity Summit. All rights reserved. 3
The Specifications •  SAML 1.0: Nov 2002, 5 docs, 140 pages •  SAML 1.1: Sep 2003, 5 docs, 144 pages •  SAML 2.0: Mar 2005, 8 docs, 379 pages •  Old…, Large…, Difficult…, Ambiguous…, Extreme! •  E.g. Optional elements in core may be mandatory in binding OR profile •  Who implements what and how? Copyright © 2015 Cloud Identity Summit. All rights reserved. 4
Foundations (of problems) Copyright © 2015 Cloud Identity Summit. All rights reserved. 5 Heavyweight •  SOAP •  For some bindings •  Wire overhead, processing overhead, compatibility •  XML •  Semantics: Interoperable syntax doesn’t mean interoperable semantics •  Options…
Deployment Copyright © 2015 Cloud Identity Summit. All rights reserved. 6
Bindings (1) – SAML Redirect & POST Copyright © 2015 Cloud Identity Summit. All rights reserved. 7 Frontchannel only •  One step, by value •  Popular (95%): easy (firewall), no SP authentication •  For Requests and Responses (not redirect: size, logs) •  User Agent sees messages •  Unless encrypted Consumer Producer Browser 1
Bindings (2) – SAML Artifact Copyright © 2015 Cloud Identity Summit. All rights reserved. 8 Backchannel •  Two steps, by reference •  Pass reference through frontchannel, get message through backchannel •  Authentication of sender on backchannel! (cert mgmt) •  For Requests (rare) and (large) Responses •  (Perceived?) security Consumer Producer Browser 2 1
IDP initiated SSO Copyright © 2015 Cloud Identity Summit. All rights reserved. 9 Characteristics •  Assumes a starting point at the IDP •  Enterprise portal/intranet •  Implementation dependent trigger •  RelayState •  De-facto agreement •  Potential open redirect •  Deeplinks •  dependency on SP changes SP IDP Browser 1
SP initiated SSO Copyright © 2015 Cloud Identity Summit. All rights reserved. 10 Characteristics •  Start at the SP •  In some way a superset of IDP- init-SSO •  Static implementation independent links •  (Perceived?) overhead over SP- init-SSO •  roundtrip •  Need to find out about the IDP SP IDP Browser 2 1
Features Copyright © 2015 Cloud Identity Summit. All rights reserved. 11 Miscellaneous •  Signed Authentication Requests •  Why? Shift to SP init process •  DoS prevention…? Depends •  Encrypted Assertions •  SSL, user •  Session Management •  Application session != IDP session
Deployment Profile (1) Copyright © 2015 Cloud Identity Summit. All rights reserved. 12 Characteristics •  Differs from Implementation Profile (!), “what can you rely on” •  Options, Bindings,Attributes, LoA/ authncontext, forceAuthn, isPassive, User Consent •  Examples: •  E-Gov x1000 for each government… #$#%!%, FICAM, IDAP, e-Recognition… •  SAML2Int, v0.2, Higher Ed & Research
Deployment Profile (2): SAML2Int Copyright © 2015 Cloud Identity Summit. All rights reserved. 13 saml2int.org •  AuthNRequest – HTTP-Redirect, AuthNResponse – HTTP POST (yay!) •  Metadata MUST, technical contact •  Attribute format (“uri”), Name identifiers (transient MUST) •  No encryption, Etc.
Advanced Topics… and (==?) Pitfalls Copyright © 2015 Cloud Identity Summit. All rights reserved. 14
IDP Discovery (1) Copyright © 2015 Cloud Identity Summit. All rights reserved. 15 Issues •  Inconvenience for users •  But only the first time (in non- kiosk scenario’s) •  Often perceived as inhibitor for SSO •  “Ask User” is best common practice •  “intelligent” approaches •  Typically work well except for edge cases (roaming users)… •  Ok, not specific to SAML but WHERE ARE YOU FROM?
IDP Discovery (2) Copyright © 2015 Cloud Identity Summit. All rights reserved. 16 Solutions •  Enterprise: IDP init SSO from a corporate portal… •  NASCAR •  Consumer OK •  Enterprise: list/phish customers •  Domain scoped usernames •  “wayf-less” URLs (nice for deeplinks) •  Domain/vhost •  URL path •  Header, CIDR •  Account Chooser
Non-Browser Clients Copyright © 2015 Cloud Identity Summit. All rights reserved. 17 Enhanced Client or Proxy (ECP) •  Rich Clients, Desktop Clients, Native Mobile Apps (!) •  Adoption…, Interoperability… •  O365
Single Logout Copyright © 2015 Cloud Identity Summit. All rights reserved. 18 Frontchannel or Backchannel •  The nature of the web… •  User needs to inspect and accept results •  SSO != SLO •  Inconvenience vs. insecurity •  Attempt to increase security leads to decreased security… •  “if you think you understand SLO you probably don’t”
Trust Copyright © 2015 Cloud Identity Summit. All rights reserved. 19 Have YOU thought about it? •  Probably needs an SLA and/or policy (depending on who pays) •  SP: privacy •  IDP: accuracy •  Multi-lateral federation, frameworks
SAML 2.0 Metadata Copyright © 2015 Cloud Identity Summit. All rights reserved. 20 Federation Partner: “Identity” •  Optional.. but •  Source of trust •  How did you receive it? •  How do you update it? •  Valid-Until/Cache-Duration •  Certificate (format) in metadata is (usually) for key representation only (!), expiry (?) •  XML, Extensions… •  Deployment Profile
Signing and Verification Copyright © 2015 Cloud Identity Summit. All rights reserved. 21 The Core Piece •  XMLDSig: signature is embedded in XML, not detached •  Need to process XML and canonicalize •  Heavyweight, DoS sensitive •  Many different options, some of them have become insecure •  Sign response vs. assertion
Certificate Rollover Copyright © 2015 Cloud Identity Summit. All rights reserved. 22 Synchronization •  THE biggest problem •  Initial setup effort vs. maintenance effort (forget) •  Synchronization •  We can/should do better •  Use the same keypair for a new cert! •  May work, may defeat the purpose (compromised key) •  Multiple certs in metadata: support
Scalability Copyright © 2015 Cloud Identity Summit. All rights reserved. 23 Issues •  SAML is point to point •  Scalability of Trust •  Metadata exchange •  Proxy •  Scalability of attribute naming •  Adoption of interop/deployment profile(s)
Bridging Copyright © 2015 Cloud Identity Summit. All rights reserved. 24 Bridge / Proxy / Hub / Router •  Real sender/receiver info is lost •  Invisible across the bridge •  SAML requests have issuer, no audience/recipient •  Audience embedded in SSO URL •  Query/path •  Protocol translation •  IDPProxy SAML element •  Trust (!) IDPSP IDPSP IDPSP Proxy SPIDP
Failures Copyright © 2015 Cloud Identity Summit. All rights reserved. 25 A(Small) Selection •  SP branded login screen •  NOOO, IDP branding!! for security •  simpleSAMLphp demo cert… •  NO signature validation… •  Grep as XML parser… •  No replay prevention (toolkits) •  XML signature wrapping attack •  Code maintenance! •  SAML assertion = password •  Send somewhere else, impersonate, etc. •  Multiple assertions •  Support…API: how is it represented to the receiver…?
Successes Copyright © 2015 Cloud Identity Summit. All rights reserved. 26 Inclusive… •  Federation: standards based cross- domain SSO •  Single point of control back in enterprise domain •  Shadow IT •  Single point of authentication •  More than SSO •  No password proliferation •  Upgrade to strong authn •  It is there
Future Copyright © 2015 Cloud Identity Summit. All rights reserved. 27 Directions •  “SAML is dead” •  Multi-party federation through trusted 3rd party •  Proxy •  Metadata service, distribution •  Bridge to OpenID Connect •  SAML 2.1?
Recommendations Copyright © 2015 Cloud Identity Summit. All rights reserved. 28 Stick with the ordinary… •  Stable but only 5% is used, adoption/success is moderate, no development -> OIDC •  Still some pitfalls to consider •  DON’T READ THE SPEC AND ASSUME THAT YOUR PEERS INTERPRETED IT IN THE SAME WAY (OR EVEN READ IT…) •  BCP: SAML2INT
Copyright © 2015 Cloud Identity Summit. All rights reserved. 29 Thank You Hans Zandbelt hzandbelt@pingidentity.com Twitter: @hanszandbelt

Recommended

CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-OnCIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-OnCloudIDSummit
 
JavaCro'15 - Oracle Java Cloud Service Java PaaS - Duško Vukmanović
JavaCro'15 - Oracle Java Cloud Service Java PaaS - Duško VukmanovićJavaCro'15 - Oracle Java Cloud Service Java PaaS - Duško Vukmanović
JavaCro'15 - Oracle Java Cloud Service Java PaaS - Duško VukmanovićHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
CIS14: Identity at Scale: Next Gen Federation Architectures
CIS14: Identity at Scale: Next Gen Federation ArchitecturesCIS14: Identity at Scale: Next Gen Federation Architectures
CIS14: Identity at Scale: Next Gen Federation ArchitecturesCloudIDSummit
 
Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"
Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"
Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"ForgeRock
 
How to integration DataPower with Zos
How to integration DataPower with ZosHow to integration DataPower with Zos
How to integration DataPower with ZosShiu-Fun Poon
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101Mike Schwartz
 
Delivering the Promise of SOA - Enterprise Integration Made Easy
Delivering the Promise of SOA - Enterprise Integration Made EasyDelivering the Promise of SOA - Enterprise Integration Made Easy
Delivering the Promise of SOA - Enterprise Integration Made EasyWSO2
 
Webinar: Customer Scale
Webinar: Customer ScaleWebinar: Customer Scale
Webinar: Customer ScaleForgeRock
 

Recommended

CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-OnCIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-OnCloudIDSummit
 
JavaCro'15 - Oracle Java Cloud Service Java PaaS - Duško Vukmanović
JavaCro'15 - Oracle Java Cloud Service Java PaaS - Duško VukmanovićJavaCro'15 - Oracle Java Cloud Service Java PaaS - Duško Vukmanović
JavaCro'15 - Oracle Java Cloud Service Java PaaS - Duško VukmanovićHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
CIS14: Identity at Scale: Next Gen Federation Architectures
CIS14: Identity at Scale: Next Gen Federation ArchitecturesCIS14: Identity at Scale: Next Gen Federation Architectures
CIS14: Identity at Scale: Next Gen Federation ArchitecturesCloudIDSummit
 
Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"
Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"
Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"ForgeRock
 
How to integration DataPower with Zos
How to integration DataPower with ZosHow to integration DataPower with Zos
How to integration DataPower with ZosShiu-Fun Poon
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101Mike Schwartz
 
Delivering the Promise of SOA - Enterprise Integration Made Easy
Delivering the Promise of SOA - Enterprise Integration Made EasyDelivering the Promise of SOA - Enterprise Integration Made Easy
Delivering the Promise of SOA - Enterprise Integration Made EasyWSO2
 
Webinar: Customer Scale
Webinar: Customer ScaleWebinar: Customer Scale
Webinar: Customer ScaleForgeRock
 
Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0Kelly Grizzle
 
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014Kelly Grizzle
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
 
Vikas Jain Past Work
Vikas Jain Past WorkVikas Jain Past Work
Vikas Jain Past WorkVikas Jain
 
WSO2Con USA 2017: Enhancing Customer Experience with WSO2 Identity Server
WSO2Con USA 2017: Enhancing Customer Experience with WSO2 Identity ServerWSO2Con USA 2017: Enhancing Customer Experience with WSO2 Identity Server
WSO2Con USA 2017: Enhancing Customer Experience with WSO2 Identity ServerWSO2
 
WSO2 Charon
WSO2 CharonWSO2 Charon
WSO2 CharonHasiniG
 
Case Study: University of California, Berkeley and San Francisco
Case Study: University of California, Berkeley and San FranciscoCase Study: University of California, Berkeley and San Francisco
Case Study: University of California, Berkeley and San FranciscoForgeRock
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Markus Schlichting
 
An Enhanced User Experience for Automobile Purchases with the WSO2 Mobile Ser...
An Enhanced User Experience for Automobile Purchases with the WSO2 Mobile Ser...An Enhanced User Experience for Automobile Purchases with the WSO2 Mobile Ser...
An Enhanced User Experience for Automobile Purchases with the WSO2 Mobile Ser...WSO2
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMHasiniG
 
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud StrategyNYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud StrategyForgeRock
 
CIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCloudIDSummit
 
Design Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionDesign Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionMichele Leroux Bustamante
 
APIC/DataPower security
APIC/DataPower securityAPIC/DataPower security
APIC/DataPower securityShiu-Fun Poon
 
SCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is GrowingSCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is GrowingKelly Grizzle
 
Customer Scale: Stateless Sessions and Managing High-Volume Digital Services
Customer Scale: Stateless Sessions and Managing High-Volume Digital ServicesCustomer Scale: Stateless Sessions and Managing High-Volume Digital Services
Customer Scale: Stateless Sessions and Managing High-Volume Digital ServicesForgeRock
 
Identity Summit UK: STATELESS SESSIONS AND MANAGING HIGH-VOLUME DIGITAL SERVICES
Identity Summit UK: STATELESS SESSIONS AND MANAGING HIGH-VOLUME DIGITAL SERVICESIdentity Summit UK: STATELESS SESSIONS AND MANAGING HIGH-VOLUME DIGITAL SERVICES
Identity Summit UK: STATELESS SESSIONS AND MANAGING HIGH-VOLUME DIGITAL SERVICESForgeRock
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
CIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity ChalktalkCIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity ChalktalkCraig Wu
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconferenceDavid Waite
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at ScaleCloudIDSummit
 

More Related Content

What's hot

Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0Kelly Grizzle
 
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014Kelly Grizzle
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
 
Vikas Jain Past Work
Vikas Jain Past WorkVikas Jain Past Work
Vikas Jain Past WorkVikas Jain
 
WSO2Con USA 2017: Enhancing Customer Experience with WSO2 Identity Server
WSO2Con USA 2017: Enhancing Customer Experience with WSO2 Identity ServerWSO2Con USA 2017: Enhancing Customer Experience with WSO2 Identity Server
WSO2Con USA 2017: Enhancing Customer Experience with WSO2 Identity ServerWSO2
 
WSO2 Charon
WSO2 CharonWSO2 Charon
WSO2 CharonHasiniG
 
Case Study: University of California, Berkeley and San Francisco
Case Study: University of California, Berkeley and San FranciscoCase Study: University of California, Berkeley and San Francisco
Case Study: University of California, Berkeley and San FranciscoForgeRock
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Markus Schlichting
 
An Enhanced User Experience for Automobile Purchases with the WSO2 Mobile Ser...
An Enhanced User Experience for Automobile Purchases with the WSO2 Mobile Ser...An Enhanced User Experience for Automobile Purchases with the WSO2 Mobile Ser...
An Enhanced User Experience for Automobile Purchases with the WSO2 Mobile Ser...WSO2
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMHasiniG
 
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud StrategyNYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud StrategyForgeRock
 
CIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCloudIDSummit
 
Design Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionDesign Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionMichele Leroux Bustamante
 
APIC/DataPower security
APIC/DataPower securityAPIC/DataPower security
APIC/DataPower securityShiu-Fun Poon
 
SCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is GrowingSCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is GrowingKelly Grizzle
 

What's hot (15)

Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0
 
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
 
Vikas Jain Past Work
Vikas Jain Past WorkVikas Jain Past Work
Vikas Jain Past Work
 
WSO2Con USA 2017: Enhancing Customer Experience with WSO2 Identity Server
WSO2Con USA 2017: Enhancing Customer Experience with WSO2 Identity ServerWSO2Con USA 2017: Enhancing Customer Experience with WSO2 Identity Server
WSO2Con USA 2017: Enhancing Customer Experience with WSO2 Identity Server
 
WSO2 Charon
WSO2 CharonWSO2 Charon
WSO2 Charon
 
Case Study: University of California, Berkeley and San Francisco
Case Study: University of California, Berkeley and San FranciscoCase Study: University of California, Berkeley and San Francisco
Case Study: University of California, Berkeley and San Francisco
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)
 
An Enhanced User Experience for Automobile Purchases with the WSO2 Mobile Ser...
An Enhanced User Experience for Automobile Purchases with the WSO2 Mobile Ser...An Enhanced User Experience for Automobile Purchases with the WSO2 Mobile Ser...
An Enhanced User Experience for Automobile Purchases with the WSO2 Mobile Ser...
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
 
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud StrategyNYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
 
CIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity Service
 
Design Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionDesign Practices for a Secure Azure Solution
Design Practices for a Secure Azure Solution
 
APIC/DataPower security
APIC/DataPower securityAPIC/DataPower security
APIC/DataPower security
 
SCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is GrowingSCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is Growing
 

Similar to CIS 2015 Extreme SAML - Hans Zandbelt

Customer Scale: Stateless Sessions and Managing High-Volume Digital Services
Customer Scale: Stateless Sessions and Managing High-Volume Digital ServicesCustomer Scale: Stateless Sessions and Managing High-Volume Digital Services
Customer Scale: Stateless Sessions and Managing High-Volume Digital ServicesForgeRock
 
Identity Summit UK: STATELESS SESSIONS AND MANAGING HIGH-VOLUME DIGITAL SERVICES
Identity Summit UK: STATELESS SESSIONS AND MANAGING HIGH-VOLUME DIGITAL SERVICESIdentity Summit UK: STATELESS SESSIONS AND MANAGING HIGH-VOLUME DIGITAL SERVICES
Identity Summit UK: STATELESS SESSIONS AND MANAGING HIGH-VOLUME DIGITAL SERVICESForgeRock
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
CIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity ChalktalkCIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity ChalktalkCraig Wu
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconferenceDavid Waite
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at ScaleCloudIDSummit
 
Secure Your Cloud Migration - Secureworld 2019 Charlotte
Secure Your Cloud Migration - Secureworld 2019 CharlotteSecure Your Cloud Migration - Secureworld 2019 Charlotte
Secure Your Cloud Migration - Secureworld 2019 CharlotteMike Brannon
 
CIS 2015 SCIM in the Real World - Kelly Grizzle
CIS 2015 SCIM in the Real World - Kelly GrizzleCIS 2015 SCIM in the Real World - Kelly Grizzle
CIS 2015 SCIM in the Real World - Kelly GrizzleCloudIDSummit
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitBrian Campbell
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?ForgeRock
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CloudIDSummit
 
IoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureIoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureVinod Wilson
 
The Platform Big Picture
The Platform Big PictureThe Platform Big Picture
The Platform Big PictureForgeRock
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn FayCIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn FayCloudIDSummit
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
TechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile ComputingTechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile ComputingAvtex
 

Similar to CIS 2015 Extreme SAML - Hans Zandbelt (20)

Customer Scale: Stateless Sessions and Managing High-Volume Digital Services
Customer Scale: Stateless Sessions and Managing High-Volume Digital ServicesCustomer Scale: Stateless Sessions and Managing High-Volume Digital Services
Customer Scale: Stateless Sessions and Managing High-Volume Digital Services
 
Identity Summit UK: STATELESS SESSIONS AND MANAGING HIGH-VOLUME DIGITAL SERVICES
Identity Summit UK: STATELESS SESSIONS AND MANAGING HIGH-VOLUME DIGITAL SERVICESIdentity Summit UK: STATELESS SESSIONS AND MANAGING HIGH-VOLUME DIGITAL SERVICES
Identity Summit UK: STATELESS SESSIONS AND MANAGING HIGH-VOLUME DIGITAL SERVICES
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
 
CIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity ChalktalkCIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity Chalktalk
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconference
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at Scale
 
Secure Your Cloud Migration - Secureworld 2019 Charlotte
Secure Your Cloud Migration - Secureworld 2019 CharlotteSecure Your Cloud Migration - Secureworld 2019 Charlotte
Secure Your Cloud Migration - Secureworld 2019 Charlotte
 
CIS 2015 SCIM in the Real World - Kelly Grizzle
CIS 2015 SCIM in the Real World - Kelly GrizzleCIS 2015 SCIM in the Real World - Kelly Grizzle
CIS 2015 SCIM in the Real World - Kelly Grizzle
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
 
IoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureIoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architecture
 
The Platform Big Picture
The Platform Big PictureThe Platform Big Picture
The Platform Big Picture
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn FayCIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
TechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile ComputingTechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile Computing
 

More from CloudIDSummit

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content HighlightsCloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCloudIDSummit
 
CIS 2015 The Ethics of Personal Data - Robin Wilton
CIS 2015 The Ethics of Personal Data - Robin WiltonCIS 2015 The Ethics of Personal Data - Robin Wilton
CIS 2015 The Ethics of Personal Data - Robin WiltonCloudIDSummit
 
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...CloudIDSummit
 

More from CloudIDSummit (20)

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
 
CIS 2015 The Ethics of Personal Data - Robin Wilton
CIS 2015 The Ethics of Personal Data - Robin WiltonCIS 2015 The Ethics of Personal Data - Robin Wilton
CIS 2015 The Ethics of Personal Data - Robin Wilton
 
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
 

Recently uploaded

SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

CIS 2015 Extreme SAML - Hans Zandbelt

  • 2. Overview 1.  Specification(s) 2.  Deployment 3.  Advanced Topics & Pitfalls 4.  Conclusions & Recommendations Copyright © 2015 Cloud Identity Summit. All rights reserved. 2
  • 3. Specification(s) Copyright © 2015 Cloud Identity Summit. All rights reserved. 3
  • 4. The Specifications •  SAML 1.0: Nov 2002, 5 docs, 140 pages •  SAML 1.1: Sep 2003, 5 docs, 144 pages •  SAML 2.0: Mar 2005, 8 docs, 379 pages •  Old…, Large…, Difficult…, Ambiguous…, Extreme! •  E.g. Optional elements in core may be mandatory in binding OR profile •  Who implements what and how? Copyright © 2015 Cloud Identity Summit. All rights reserved. 4
  • 5. Foundations (of problems) Copyright © 2015 Cloud Identity Summit. All rights reserved. 5 Heavyweight •  SOAP •  For some bindings •  Wire overhead, processing overhead, compatibility •  XML •  Semantics: Interoperable syntax doesn’t mean interoperable semantics •  Options…
  • 6. Deployment Copyright © 2015 Cloud Identity Summit. All rights reserved. 6
  • 7. Bindings (1) – SAML Redirect & POST Copyright © 2015 Cloud Identity Summit. All rights reserved. 7 Frontchannel only •  One step, by value •  Popular (95%): easy (firewall), no SP authentication •  For Requests and Responses (not redirect: size, logs) •  User Agent sees messages •  Unless encrypted Consumer Producer Browser 1
  • 8. Bindings (2) – SAML Artifact Copyright © 2015 Cloud Identity Summit. All rights reserved. 8 Backchannel •  Two steps, by reference •  Pass reference through frontchannel, get message through backchannel •  Authentication of sender on backchannel! (cert mgmt) •  For Requests (rare) and (large) Responses •  (Perceived?) security Consumer Producer Browser 2 1
  • 9. IDP initiated SSO Copyright © 2015 Cloud Identity Summit. All rights reserved. 9 Characteristics •  Assumes a starting point at the IDP •  Enterprise portal/intranet •  Implementation dependent trigger •  RelayState •  De-facto agreement •  Potential open redirect •  Deeplinks •  dependency on SP changes SP IDP Browser 1
  • 10. SP initiated SSO Copyright © 2015 Cloud Identity Summit. All rights reserved. 10 Characteristics •  Start at the SP •  In some way a superset of IDP- init-SSO •  Static implementation independent links •  (Perceived?) overhead over SP- init-SSO •  roundtrip •  Need to find out about the IDP SP IDP Browser 2 1
  • 11. Features Copyright © 2015 Cloud Identity Summit. All rights reserved. 11 Miscellaneous •  Signed Authentication Requests •  Why? Shift to SP init process •  DoS prevention…? Depends •  Encrypted Assertions •  SSL, user •  Session Management •  Application session != IDP session
  • 12. Deployment Profile (1) Copyright © 2015 Cloud Identity Summit. All rights reserved. 12 Characteristics •  Differs from Implementation Profile (!), “what can you rely on” •  Options, Bindings,Attributes, LoA/ authncontext, forceAuthn, isPassive, User Consent •  Examples: •  E-Gov x1000 for each government… #$#%!%, FICAM, IDAP, e-Recognition… •  SAML2Int, v0.2, Higher Ed & Research
  • 13. Deployment Profile (2): SAML2Int Copyright © 2015 Cloud Identity Summit. All rights reserved. 13 saml2int.org •  AuthNRequest – HTTP-Redirect, AuthNResponse – HTTP POST (yay!) •  Metadata MUST, technical contact •  Attribute format (“uri”), Name identifiers (transient MUST) •  No encryption, Etc.
  • 14. Advanced Topics… and (==?) Pitfalls Copyright © 2015 Cloud Identity Summit. All rights reserved. 14
  • 15. IDP Discovery (1) Copyright © 2015 Cloud Identity Summit. All rights reserved. 15 Issues •  Inconvenience for users •  But only the first time (in non- kiosk scenario’s) •  Often perceived as inhibitor for SSO •  “Ask User” is best common practice •  “intelligent” approaches •  Typically work well except for edge cases (roaming users)… •  Ok, not specific to SAML but WHERE ARE YOU FROM?
  • 16. IDP Discovery (2) Copyright © 2015 Cloud Identity Summit. All rights reserved. 16 Solutions •  Enterprise: IDP init SSO from a corporate portal… •  NASCAR •  Consumer OK •  Enterprise: list/phish customers •  Domain scoped usernames •  “wayf-less” URLs (nice for deeplinks) •  Domain/vhost •  URL path •  Header, CIDR •  Account Chooser
  • 17. Non-Browser Clients Copyright © 2015 Cloud Identity Summit. All rights reserved. 17 Enhanced Client or Proxy (ECP) •  Rich Clients, Desktop Clients, Native Mobile Apps (!) •  Adoption…, Interoperability… •  O365
  • 18. Single Logout Copyright © 2015 Cloud Identity Summit. All rights reserved. 18 Frontchannel or Backchannel •  The nature of the web… •  User needs to inspect and accept results •  SSO != SLO •  Inconvenience vs. insecurity •  Attempt to increase security leads to decreased security… •  “if you think you understand SLO you probably don’t”
  • 19. Trust Copyright © 2015 Cloud Identity Summit. All rights reserved. 19 Have YOU thought about it? •  Probably needs an SLA and/or policy (depending on who pays) •  SP: privacy •  IDP: accuracy •  Multi-lateral federation, frameworks
  • 20. SAML 2.0 Metadata Copyright © 2015 Cloud Identity Summit. All rights reserved. 20 Federation Partner: “Identity” •  Optional.. but •  Source of trust •  How did you receive it? •  How do you update it? •  Valid-Until/Cache-Duration •  Certificate (format) in metadata is (usually) for key representation only (!), expiry (?) •  XML, Extensions… •  Deployment Profile
  • 21. Signing and Verification Copyright © 2015 Cloud Identity Summit. All rights reserved. 21 The Core Piece •  XMLDSig: signature is embedded in XML, not detached •  Need to process XML and canonicalize •  Heavyweight, DoS sensitive •  Many different options, some of them have become insecure •  Sign response vs. assertion
  • 22. Certificate Rollover Copyright © 2015 Cloud Identity Summit. All rights reserved. 22 Synchronization •  THE biggest problem •  Initial setup effort vs. maintenance effort (forget) •  Synchronization •  We can/should do better •  Use the same keypair for a new cert! •  May work, may defeat the purpose (compromised key) •  Multiple certs in metadata: support
  • 23. Scalability Copyright © 2015 Cloud Identity Summit. All rights reserved. 23 Issues •  SAML is point to point •  Scalability of Trust •  Metadata exchange •  Proxy •  Scalability of attribute naming •  Adoption of interop/deployment profile(s)
  • 24. Bridging Copyright © 2015 Cloud Identity Summit. All rights reserved. 24 Bridge / Proxy / Hub / Router •  Real sender/receiver info is lost •  Invisible across the bridge •  SAML requests have issuer, no audience/recipient •  Audience embedded in SSO URL •  Query/path •  Protocol translation •  IDPProxy SAML element •  Trust (!) IDPSP IDPSP IDPSP Proxy SPIDP
  • 25. Failures Copyright © 2015 Cloud Identity Summit. All rights reserved. 25 A(Small) Selection •  SP branded login screen •  NOOO, IDP branding!! for security •  simpleSAMLphp demo cert… •  NO signature validation… •  Grep as XML parser… •  No replay prevention (toolkits) •  XML signature wrapping attack •  Code maintenance! •  SAML assertion = password •  Send somewhere else, impersonate, etc. •  Multiple assertions •  Support…API: how is it represented to the receiver…?
  • 26. Successes Copyright © 2015 Cloud Identity Summit. All rights reserved. 26 Inclusive… •  Federation: standards based cross- domain SSO •  Single point of control back in enterprise domain •  Shadow IT •  Single point of authentication •  More than SSO •  No password proliferation •  Upgrade to strong authn •  It is there
  • 27. Future Copyright © 2015 Cloud Identity Summit. All rights reserved. 27 Directions •  “SAML is dead” •  Multi-party federation through trusted 3rd party •  Proxy •  Metadata service, distribution •  Bridge to OpenID Connect •  SAML 2.1?
  • 28. Recommendations Copyright © 2015 Cloud Identity Summit. All rights reserved. 28 Stick with the ordinary… •  Stable but only 5% is used, adoption/success is moderate, no development -> OIDC •  Still some pitfalls to consider •  DON’T READ THE SPEC AND ASSUME THAT YOUR PEERS INTERPRETED IT IN THE SAME WAY (OR EVEN READ IT…) •  BCP: SAML2INT
  • 29. Copyright © 2015 Cloud Identity Summit. All rights reserved. 29 Thank You Hans Zandbelt hzandbelt@pingidentity.com Twitter: @hanszandbelt