This document discusses several identity and authentication standards and techniques for multi-partner environments, including discovery, account chooser, dynamic registration, and federation proxy. It focuses on supporting authentication across multiple identity providers when first interacting with a user, without prior knowledge of which provider they belong to. Standards like discovery, SAML cookies, and account chooser help determine the user's provider. Dynamic registration and openID metadata allow clients to obtain credentials and configuration for a newly-discovered provider. Federation proxies can simplify integration by fronting multiple backends. Mobile Connect and best practices for native apps are also covered.

1. Part 3: What’s next? Discovery, Dynamic
Registration, Mobile Connect and more!
David Waite

2. Contents
• Supporting Multiple partners
• Discovery + Account Chooser
• Metadata/Configuration and Dynamic Registration
• Mobile Connect
• Federation Proxy
• Native Application Spec
Copyright © 2015 Cloud Identity Summit. All rights reserved. 2

3. Question
• How do you authenticate each person differently when
you don’t yet know who they are?
Copyright © 2015 Cloud Identity Summit. All rights reserved. 3

4. Multiple Authentication Schemes
• Typical Bank Website
• Ask for account information
• Ask for user-specific authentication
• Federation (including OpenID Connect) decouples
authentication from the process which needs it
Copyright © 2015 Cloud Identity Summit. All rights reserved. 4

5. Discovery in a SaaS World
• Branded URLs / Customer domains
• Deep links
• Persistent cookie (req. introduction)
• Email domain to customer mapping
• Account to customer mapping
• HTTP Headers, CIDR Rules, etc etc.
Copyright © 2015 Cloud Identity Summit. All rights reserved. 5

6. Fallback
• Each of these is fallible
• Fall back to
• Next heuristic
• Error page
• NASCAR page
Copyright © 2015 Cloud Identity Summit. All rights reserved. 6

7. Discovery Standards
• The federation standards have resulted in
specifications on how to do this discovery
• Where Are You From (WAYF)
• Intermediary for a network of connections (edu
institutions)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 7

8. Discovery Standards
• SAML Common Domain cookie
• A network creates a common DNS domain that
each member joins in order to set/read standard-
format cookies
• AccountChooser.com
• A non-profit-managed domain and protocol to
cache accounts used for future user selection
Copyright © 2015 Cloud Identity Summit. All rights reserved. 8

9. Account Chooser
• RP triggers prompt for accounts
• Based on requirements
• RP indicates “successful” authentications should be
stored
• RP controls fallback (social media, local login/
registration, NASCAR)
• Successful authentications cached in browser offline
storage
Copyright © 2015 Cloud Identity Summit. All rights reserved. 9

10. Account Chooser Demo
Copyright © 2015 Cloud Identity Summit. All rights reserved. 10

11. Question
• What if a user enters an address you don’t recognize
Copyright © 2015 Cloud Identity Summit. All rights reserved. 11

12. Webfinger
• RFC xxxx
• Query for information on resources
• With OIDC, given a user account
dwaite@example.com, give information on OP that
Copyright © 2015 Cloud Identity Summit. All rights reserved. 12

13. Webfinger interface has a single, inconvenient
location
• https://<domain>/.well-known/webfinger
• dynamic functionality
• OIDC allows for this information to come from another
location, such as a proxy
Copyright © 2015 Cloud Identity Summit. All rights reserved. 13

14. Question
• This user account is associated with an OP I don’t
know
Copyright © 2015 Cloud Identity Summit. All rights reserved. 14

15. OpenID Metadata
• Divided into two parts
• Service endpoints and capabilities, catchable against
client forever
• /.well-known/openid-configuration
• Cryptographic keys, rotate often
• pointed to by configuration
Copyright © 2015 Cloud Identity Summit. All rights reserved. 15

16. Question
• Now I know the OP, but I don’t have a relationship
with/credentials for them
Copyright © 2015 Cloud Identity Summit. All rights reserved. 16

17. Dynamic Client Registration
• advertised in OpenID Metadata
• request credentials from OP
• credentials may expire/need to be refreshed
Copyright © 2015 Cloud Identity Summit. All rights reserved. 17

18. Dynamic Client Registration
• way to have a unique client for each installation of app
• exchange hard-coded token for dynamic, per-user
one
• prevents some credential hijacking and impersonation
attacks
Copyright © 2015 Cloud Identity Summit. All rights reserved. 18

19. Demos
• Webfinger Protocol Demo
• OpenID Metadata Demo
• Dynamic Client Registration demo
• SSO using dynamic client
Copyright © 2015 Cloud Identity Summit. All rights reserved. 19

20. Question
• What to do if the site has a terms of service before
you can connect a client, or other proof that you are a
‘trusted’ client?
Copyright © 2015 Cloud Identity Summit. All rights reserved. 20

21. Copyright © 2015 Cloud Identity Summit. All rights reserved. 21
Case Study: Mobile Connect
• Discovery process involving account chooser
• Account chooser returns a fake account at the
carrier
• GSMA gives a client attestation used for registration
at any of the worldwide carriers supporting connect
• Get back a pseudonym for the user

22. Copyright © 2015 Cloud Identity Summit. All rights reserved. 22
Question
• The partner access token doesn’t give me access to
the APIs I need. How can I get my own access
token?

23. Copyright © 2015 Cloud Identity Summit. All rights reserved. 23
Need
• authentication/attributes/groups from partner
• To issue the access token yourself
• User information from partner can determine
capabilities of user on site, so authentication affects
access

24. Copyright © 2015 Cloud Identity Summit. All rights reserved. 24
• OIDC to your AS server
• your server does OIDC (or SAML) to your partners
• Local authentication? Another “federation”
Federation Proxy

25. Copyright © 2015 Cloud Identity Summit. All rights reserved. 25
• App client doesn’t need to dynamically register itself
with partners
• single connection to your AS
• Can provide uniform attributes an API access for
your client needs
Benefits

26. Copyright © 2015 Cloud Identity Summit. All rights reserved. 26
• What are the best practices for implementing all this
in mobile apps?
Question

27. Copyright © 2015 Cloud Identity Summit. All rights reserved. 27
Napps Working Group
• Working group progress…