SlideShare a Scribd company logo

CIS13: Federation Protocol Cross-Section

CloudIDSummit
CloudIDSummit

David Waite, Technical Architect, Ping Identity We will take the federation protocols of SAML, OpenID, WS-Federation and OpenID Connect and attempt to break them down into common concerns. We will then examine the different approaches taken to address these concerns, the rationale and the trade-offs which resulted.

Technology
1 of 44
Download to read offline
1 Copyright ©2013 Ping Identity Corporation. All rights reserved. Federation Protocols: A Cross-Section David Waite Technical Architect, Ping Labs 1
2 Copyright ©2013 Ping Identity Corporation. All rights reserved. Who am I? • David Waite • In Identity Space for 10 years • With Ping Labs group Mad Scientist and Mad Science Facilitator
3 Copyright ©2013 Ping Identity Corporation. All rights reserved. Alternative Talk Name #1 Build your own Federated Identity Protocol
4 Copyright ©2013 Ping Identity Corporation. All rights reserved. Rejected! • Do not want to encourage people to build their own protocols! • Confusing with other aspects of talk
5 Copyright ©2013 Ping Identity Corporation. All rights reserved. Alternative Talk Name #2 SAML 101: The Speed Run
6 Copyright ©2013 Ping Identity Corporation. All rights reserved. Rejected! • But, not just going to on just one protocol – SAML 2.0 – WS-Federation – OpenID Connect – and friends • all at once
7 Copyright ©2013 Ping Identity Corporation. All rights reserved. Federation Protocols: A Cross-Section • What is Federated Identity – Thinking about things at a higher level • How protocols solve the problem similarly – The individual steps they all take • How protocols differ, and why
8 Copyright ©2013 Ping Identity Corporation. All rights reserved. Caveats • Not covering parts outside Authentication – Single log out, Name Identifier Mapping, etc. • Will be conflating what is possible and what is deployed • Calling Everything Identity Provider/ Service Provider • Will be jumping around a little bit
9 Copyright ©2013 Ping Identity Corporation. All rights reserved. Basics of Federated Identity 9
10 Copyright ©2013 Ping Identity Corporation. All rights reserved. The Venerable Login Form
11 Copyright ©2013 Ping Identity Corporation. All rights reserved. (Local) Login Process • Detect need to authenticate user • Authentication Request(Challenge) • Receive Response • Validate Response • Success!
12 Copyright ©2013 Ping Identity Corporation. All rights reserved. Web SSO • Web SSO – Share identity from Identity Provider to Service Provider – In the context of a Web Browser – Speaking HTTP and understanding HTML – Requiring no additional client code
13 Copyright ©2013 Ping Identity Corporation. All rights reserved. Local Login Process (Redux) • Detect need to authenticate user • Authentication Request (Challenge) • Receive Response • Validate Response • Success!
14 Copyright ©2013 Ping Identity Corporation. All rights reserved. SAML SP Login Process • Detect need to authenticate user • Send AuthnRequest • Receive AuthnResponse • Validate AuthnResponse • Success!
15 Copyright ©2013 Ping Identity Corporation. All rights reserved. Web SSO • Web SSO is an abstraction – of authentication mechanisms • A Service can delegate user authentication – To another party they trust • An authentication mechanism Proxy
16 Copyright ©2013 Ping Identity Corporation. All rights reserved. Details • The Identity Provider (IDP) is authenticating on behalf of a user to a Service Provider (SP): – Challenge goes to another server – Response comes back from that server • Validation of server response leads to user authentication on the Service Provider • SP not exposed to actual authentication
17 Copyright ©2013 Ping Identity Corporation. All rights reserved. Protocol Differences 17
18 Copyright ©2013 Ping Identity Corporation. All rights reserved. In the beginning... • In the beginning, there was SAML – proprietary systems for doing Web SSO required selling,deploying solutions to both side • Now could be labelled enterprisy tech – XML – X.509 certs/keys – SSL deployment – Partners configured via admins
19 Copyright ©2013 Ping Identity Corporation. All rights reserved. Issues with XML • XML is/was – cross-language with lots of tool support – extensible – buzz-worthy • But the XML signing/encryption support is – hard to implement (canonicalization) – spotty across languages – difficult to verify is secure
20 Copyright ©2013 Ping Identity Corporation. All rights reserved. OpenID 1/2 • Heavily influenced by blogging community – low cost shared hosting • No SSL requirement • Option for relying party to be stateless w/o crypto • User Centric – discovery of Identity Providers (OPs) built-in – dynamic connections with no manual setup
21 Copyright ©2013 Ping Identity Corporation. All rights reserved. OpenID 1/2 • Symmetric keys per partner – negotiated via DH – similar security model to SSH • Query parameter protocol – invented canonicalization, signing mechanism – swiped by OAuth 1
22 Copyright ©2013 Ping Identity Corporation. All rights reserved. WS-Federation • WS-Federation – SAML protocol has additional baggage – SAML assertions are worth using – Something more STS/WS-* compatible • Replaces protocol bits with query strings • Still sends XML SAML tokens • Implementations usually focus on interoperability with Microsoft
23 Copyright ©2013 Ping Identity Corporation. All rights reserved. OpenID Connect • Built on top of OAuth 2 – Service Provider is OAuth 2 client – Identity Provider (OP) is Authorization Server • Like OpenID 1/2 – discovery of Identity Providers (OPs) defined – connections without manual setup possible • Encourages per-domain setup – Facebook Connect model
24 Copyright ©2013 Ping Identity Corporation. All rights reserved. OpenID Connect
25 Copyright ©2013 Ping Identity Corporation. All rights reserved. OpenID Connect • More modular design – built on top of OAuth 2, WebFinger, JW* • Basic/Implicit Client – use a slice through dependent specs • Dynamic Clients – require WebFinger, client registration, JWK •  Profile of OAuth 2
26 Copyright ©2013 Ping Identity Corporation. All rights reserved. Protocol Specifics 26
27 Copyright ©2013 Ping Identity Corporation. All rights reserved. Request Commonalities • Usually requests are not signed/encrypted – expensive signature for anonymous users • DDoS opportunity – Choices usually negotiated out-of-band – Response typically references choices made • relayed state
28 Copyright ©2013 Ping Identity Corporation. All rights reserved. Request Differences • OAuth bundles several things into the request process – Discovery, metadata/key lookup/provisioning • SAML, WS-Federation nearly always have partners provisioned beforehand • SAML requests are not addressed to an Identity Provider
29 Copyright ©2013 Ping Identity Corporation. All rights reserved. Response Commonalities • User attributes and authentication information • Sent to Service Provider, verifiable via – Front channel signed message – Back channel (SAML and OpenID 2)
30 Copyright ©2013 Ping Identity Corporation. All rights reserved. Response Differences • SAML 2 supports encryption – protect information from user/third parties in browser channel • Asymmetric keys support non-repudiation • OpenID 2 may require network discovery to process response – Authenticated ID != requested ID
31 Copyright ©2013 Ping Identity Corporation. All rights reserved. Validation of Response • Validate message is well-formed • Decrypt/validate signatures • Verify information – is it acceptable for the IDP to make these claims? • Map to any local account • Create session (and store cookie)
32 Copyright ©2013 Ping Identity Corporation. All rights reserved. Final Detour: Discovery 32
33 Copyright ©2013 Ping Identity Corporation. All rights reserved. Discovery What if you had more than one way to log in locally?
34 Copyright ©2013 Ping Identity Corporation. All rights reserved. IDP Discovery • Federated Web SSO – more than one Identity Provider exists – need to figure out which one to use – How to do that when you don t know who the user is yet?
35 Copyright ©2013 Ping Identity Corporation. All rights reserved. IDP Discovery • No perfect strategy! • Eventually, you have to either – ask user to pick from list – fail with user instructions
36 Copyright ©2013 Ping Identity Corporation. All rights reserved. Option #1 User picks from list of all options
37 Copyright ©2013 Ping Identity Corporation. All rights reserved. Option #1 • What about when you have too many options? • Identity providers may be your customers • can you publicize your customer list?
38 Copyright ©2013 Ping Identity Corporation. All rights reserved. Option 2 • OpenID - ask your user who they are first
39 Copyright ©2013 Ping Identity Corporation. All rights reserved. Option 2 • User may not know what is appropriate to type into the field – Most services aren t willing to take on user education for a new authentication system • Two-step login process • Assumes a single place to send all users matching pattern
40 Copyright ©2013 Ping Identity Corporation. All rights reserved. Option 3 • Cardspace had an Active Component – Knew where you could log in – Services specified their needs for an IDP
41 Copyright ©2013 Ping Identity Corporation. All rights reserved. Option 3 • Requiring active component to work limits adoption • Users still had to add Identity Providers – But their employer could do this for them
42 Copyright ©2013 Ping Identity Corporation. All rights reserved. Other options • Unique IDP per distinct URL – https://companyname.servicedomain.com • Look at source IP address as hint • Firewall/Profile adds HTTP header • Portal links hint via URL parameters • Identity-Provider-Initiated only • Must do IDP initiated once, then set cookie
43 Copyright ©2013 Ping Identity Corporation. All rights reserved. Account Chooser https://www.accountchooser.com/
44 Copyright ©2013 Ping Identity Corporation. All rights reserved. Pro Tips • Approaches typically aren t protocol specific - mix and match • Cache choice on success for use later • SAML describes sharing previous decisions across domains via browser/cookie cache – WAYF, SAML Common Domain • Make an explicit choice on fallback strategy – give user list, or fail with user instructions

Recommended

Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconferenceDavid Waite
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMhackingtrialpay
 
Web authentication
Web authenticationWeb authentication
Web authenticationPradeep J V
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2Mike Schwartz
 
Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101Arnaud Le Hors
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
 

Recommended

Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconferenceDavid Waite
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMhackingtrialpay
 
Web authentication
Web authenticationWeb authentication
Web authenticationPradeep J V
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2Mike Schwartz
 
Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101Arnaud Le Hors
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and ApplicationsSvetlin Nakov
 
Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04Synacts
 
What's new in PDF 2.0 regarding digital signatures
What's new in PDF 2.0 regarding digital signaturesWhat's new in PDF 2.0 regarding digital signatures
What's new in PDF 2.0 regarding digital signaturesBruno Lowagie
 
Digital signature & PKI Infrastructure
Digital signature & PKI InfrastructureDigital signature & PKI Infrastructure
Digital signature & PKI InfrastructureShubham Sharma
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Arnaud Le Hors
 
PDF Digital signatures
PDF Digital signaturesPDF Digital signatures
PDF Digital signaturesBruno Lowagie
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key InfrastructureTheo Gravity
 
Final ppt ecommerce
Final ppt ecommerceFinal ppt ecommerce
Final ppt ecommercepriyanka Garg
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeDigiCert, Inc.
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresOliver Pfaff
 
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Hyperledger Overview - 20181024
Hyperledger Overview - 20181024Hyperledger Overview - 20181024
Hyperledger Overview - 20181024Arnaud Le Hors
 
Seminar ppt on digital signature
Seminar ppt on digital signatureSeminar ppt on digital signature
Seminar ppt on digital signaturejolly9293
 
PKI by Tim Polk
PKI by Tim PolkPKI by Tim Polk
PKI by Tim PolkInformation Security Awareness Group
 
Hyperledger Fabric Update - June 2018
Hyperledger Fabric Update - June 2018Hyperledger Fabric Update - June 2018
Hyperledger Fabric Update - June 2018Arnaud Le Hors
 
Digital signature
Digital signatureDigital signature
Digital signatureYash Karanke
 
Digital signature
Digital signatureDigital signature
Digital signatureAbdullah Khosa
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureInformation Technology
 
Hyperledger Fabric
Hyperledger FabricHyperledger Fabric
Hyperledger FabricMurughan Palaniachari
 
Pki for dummies
Pki for dummiesPki for dummies
Pki for dummiesAlex de Jong
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 

More Related Content

What's hot

PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and ApplicationsSvetlin Nakov
 
Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04Synacts
 
What's new in PDF 2.0 regarding digital signatures
What's new in PDF 2.0 regarding digital signaturesWhat's new in PDF 2.0 regarding digital signatures
What's new in PDF 2.0 regarding digital signaturesBruno Lowagie
 
Digital signature & PKI Infrastructure
Digital signature & PKI InfrastructureDigital signature & PKI Infrastructure
Digital signature & PKI InfrastructureShubham Sharma
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Arnaud Le Hors
 
PDF Digital signatures
PDF Digital signaturesPDF Digital signatures
PDF Digital signaturesBruno Lowagie
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key InfrastructureTheo Gravity
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeDigiCert, Inc.
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresOliver Pfaff
 
Hyperledger Overview - 20181024
Hyperledger Overview - 20181024Hyperledger Overview - 20181024
Hyperledger Overview - 20181024Arnaud Le Hors
 
Seminar ppt on digital signature
Seminar ppt on digital signatureSeminar ppt on digital signature
Seminar ppt on digital signaturejolly9293
 
Hyperledger Fabric Update - June 2018
Hyperledger Fabric Update - June 2018Hyperledger Fabric Update - June 2018
Hyperledger Fabric Update - June 2018Arnaud Le Hors
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureInformation Technology
 

What's hot (20)

PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and Applications
 
Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04
 
What's new in PDF 2.0 regarding digital signatures
What's new in PDF 2.0 regarding digital signaturesWhat's new in PDF 2.0 regarding digital signatures
What's new in PDF 2.0 regarding digital signatures
 
Digital signature & PKI Infrastructure
Digital signature & PKI InfrastructureDigital signature & PKI Infrastructure
Digital signature & PKI Infrastructure
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
 
PDF Digital signatures
PDF Digital signaturesPDF Digital signatures
PDF Digital signatures
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
 
Final ppt ecommerce
Final ppt ecommerceFinal ppt ecommerce
Final ppt ecommerce
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
 
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
 
Hyperledger Overview - 20181024
Hyperledger Overview - 20181024Hyperledger Overview - 20181024
Hyperledger Overview - 20181024
 
Seminar ppt on digital signature
Seminar ppt on digital signatureSeminar ppt on digital signature
Seminar ppt on digital signature
 
PKI by Tim Polk
PKI by Tim PolkPKI by Tim Polk
PKI by Tim Polk
 
Hyperledger Fabric Update - June 2018
Hyperledger Fabric Update - June 2018Hyperledger Fabric Update - June 2018
Hyperledger Fabric Update - June 2018
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key Infrastructure
 
Hyperledger Fabric
Hyperledger FabricHyperledger Fabric
Hyperledger Fabric
 
Pki for dummies
Pki for dummiesPki for dummies
Pki for dummies
 

Similar to CIS13: Federation Protocol Cross-Section

CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...CloudIDSummit
 
De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 Leonard Moustacchis
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileNordic APIs
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at ScaleCloudIDSummit
 
Open Id, O Auth And Webservices
Open Id, O Auth And WebservicesOpen Id, O Auth And Webservices
Open Id, O Auth And WebservicesMyles Eftos
 
CIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity ChalktalkCIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity ChalktalkCraig Wu
 
SSO with the WSO2 Identity Server
SSO with the WSO2 Identity ServerSSO with the WSO2 Identity Server
SSO with the WSO2 Identity ServerWSO2
 
Sso with the wso2 identity server
Sso with the wso2 identity serverSso with the wso2 identity server
Sso with the wso2 identity serversureshattanayake
 
Practical Federated Identity
Practical Federated Identity Practical Federated Identity
Practical Federated Identity WSO2
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud CA API Management
 
OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenIDFoundation
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
IoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureIoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureVinod Wilson
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCloudIDSummit
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)Jay Simcox
 

Similar to CIS13: Federation Protocol Cross-Section (20)

CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
 
De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and Mobile
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at Scale
 
Open Id, O Auth And Webservices
Open Id, O Auth And WebservicesOpen Id, O Auth And Webservices
Open Id, O Auth And Webservices
 
CIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity ChalktalkCIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity Chalktalk
 
SSO with the WSO2 Identity Server
SSO with the WSO2 Identity ServerSSO with the WSO2 Identity Server
SSO with the WSO2 Identity Server
 
Sso with the wso2 identity server
Sso with the wso2 identity serverSso with the wso2 identity server
Sso with the wso2 identity server
 
Practical Federated Identity
Practical Federated Identity Practical Federated Identity
Practical Federated Identity
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
 
Presentation
PresentationPresentation
Presentation
 
OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
 
IoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureIoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architecture
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the Enterprise
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 

More from CloudIDSummit

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content HighlightsCloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCloudIDSummit
 

More from CloudIDSummit (20)

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
 

Recently uploaded

Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformWSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...caitlingebhard1
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingWSO2
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringWSO2
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseWSO2
 

Recently uploaded (20)

Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 

CIS13: Federation Protocol Cross-Section

  • 1. 1 Copyright ©2013 Ping Identity Corporation. All rights reserved. Federation Protocols: A Cross-Section David Waite Technical Architect, Ping Labs 1
  • 2. 2 Copyright ©2013 Ping Identity Corporation. All rights reserved. Who am I? • David Waite • In Identity Space for 10 years • With Ping Labs group Mad Scientist and Mad Science Facilitator
  • 3. 3 Copyright ©2013 Ping Identity Corporation. All rights reserved. Alternative Talk Name #1 Build your own Federated Identity Protocol
  • 4. 4 Copyright ©2013 Ping Identity Corporation. All rights reserved. Rejected! • Do not want to encourage people to build their own protocols! • Confusing with other aspects of talk
  • 5. 5 Copyright ©2013 Ping Identity Corporation. All rights reserved. Alternative Talk Name #2 SAML 101: The Speed Run
  • 6. 6 Copyright ©2013 Ping Identity Corporation. All rights reserved. Rejected! • But, not just going to on just one protocol – SAML 2.0 – WS-Federation – OpenID Connect – and friends • all at once
  • 7. 7 Copyright ©2013 Ping Identity Corporation. All rights reserved. Federation Protocols: A Cross-Section • What is Federated Identity – Thinking about things at a higher level • How protocols solve the problem similarly – The individual steps they all take • How protocols differ, and why
  • 8. 8 Copyright ©2013 Ping Identity Corporation. All rights reserved. Caveats • Not covering parts outside Authentication – Single log out, Name Identifier Mapping, etc. • Will be conflating what is possible and what is deployed • Calling Everything Identity Provider/ Service Provider • Will be jumping around a little bit
  • 9. 9 Copyright ©2013 Ping Identity Corporation. All rights reserved. Basics of Federated Identity 9
  • 10. 10 Copyright ©2013 Ping Identity Corporation. All rights reserved. The Venerable Login Form
  • 11. 11 Copyright ©2013 Ping Identity Corporation. All rights reserved. (Local) Login Process • Detect need to authenticate user • Authentication Request(Challenge) • Receive Response • Validate Response • Success!
  • 12. 12 Copyright ©2013 Ping Identity Corporation. All rights reserved. Web SSO • Web SSO – Share identity from Identity Provider to Service Provider – In the context of a Web Browser – Speaking HTTP and understanding HTML – Requiring no additional client code
  • 13. 13 Copyright ©2013 Ping Identity Corporation. All rights reserved. Local Login Process (Redux) • Detect need to authenticate user • Authentication Request (Challenge) • Receive Response • Validate Response • Success!
  • 14. 14 Copyright ©2013 Ping Identity Corporation. All rights reserved. SAML SP Login Process • Detect need to authenticate user • Send AuthnRequest • Receive AuthnResponse • Validate AuthnResponse • Success!
  • 15. 15 Copyright ©2013 Ping Identity Corporation. All rights reserved. Web SSO • Web SSO is an abstraction – of authentication mechanisms • A Service can delegate user authentication – To another party they trust • An authentication mechanism Proxy
  • 16. 16 Copyright ©2013 Ping Identity Corporation. All rights reserved. Details • The Identity Provider (IDP) is authenticating on behalf of a user to a Service Provider (SP): – Challenge goes to another server – Response comes back from that server • Validation of server response leads to user authentication on the Service Provider • SP not exposed to actual authentication
  • 17. 17 Copyright ©2013 Ping Identity Corporation. All rights reserved. Protocol Differences 17
  • 18. 18 Copyright ©2013 Ping Identity Corporation. All rights reserved. In the beginning... • In the beginning, there was SAML – proprietary systems for doing Web SSO required selling,deploying solutions to both side • Now could be labelled enterprisy tech – XML – X.509 certs/keys – SSL deployment – Partners configured via admins
  • 19. 19 Copyright ©2013 Ping Identity Corporation. All rights reserved. Issues with XML • XML is/was – cross-language with lots of tool support – extensible – buzz-worthy • But the XML signing/encryption support is – hard to implement (canonicalization) – spotty across languages – difficult to verify is secure
  • 20. 20 Copyright ©2013 Ping Identity Corporation. All rights reserved. OpenID 1/2 • Heavily influenced by blogging community – low cost shared hosting • No SSL requirement • Option for relying party to be stateless w/o crypto • User Centric – discovery of Identity Providers (OPs) built-in – dynamic connections with no manual setup
  • 21. 21 Copyright ©2013 Ping Identity Corporation. All rights reserved. OpenID 1/2 • Symmetric keys per partner – negotiated via DH – similar security model to SSH • Query parameter protocol – invented canonicalization, signing mechanism – swiped by OAuth 1
  • 22. 22 Copyright ©2013 Ping Identity Corporation. All rights reserved. WS-Federation • WS-Federation – SAML protocol has additional baggage – SAML assertions are worth using – Something more STS/WS-* compatible • Replaces protocol bits with query strings • Still sends XML SAML tokens • Implementations usually focus on interoperability with Microsoft
  • 23. 23 Copyright ©2013 Ping Identity Corporation. All rights reserved. OpenID Connect • Built on top of OAuth 2 – Service Provider is OAuth 2 client – Identity Provider (OP) is Authorization Server • Like OpenID 1/2 – discovery of Identity Providers (OPs) defined – connections without manual setup possible • Encourages per-domain setup – Facebook Connect model
  • 24. 24 Copyright ©2013 Ping Identity Corporation. All rights reserved. OpenID Connect
  • 25. 25 Copyright ©2013 Ping Identity Corporation. All rights reserved. OpenID Connect • More modular design – built on top of OAuth 2, WebFinger, JW* • Basic/Implicit Client – use a slice through dependent specs • Dynamic Clients – require WebFinger, client registration, JWK •  Profile of OAuth 2
  • 26. 26 Copyright ©2013 Ping Identity Corporation. All rights reserved. Protocol Specifics 26
  • 27. 27 Copyright ©2013 Ping Identity Corporation. All rights reserved. Request Commonalities • Usually requests are not signed/encrypted – expensive signature for anonymous users • DDoS opportunity – Choices usually negotiated out-of-band – Response typically references choices made • relayed state
  • 28. 28 Copyright ©2013 Ping Identity Corporation. All rights reserved. Request Differences • OAuth bundles several things into the request process – Discovery, metadata/key lookup/provisioning • SAML, WS-Federation nearly always have partners provisioned beforehand • SAML requests are not addressed to an Identity Provider
  • 29. 29 Copyright ©2013 Ping Identity Corporation. All rights reserved. Response Commonalities • User attributes and authentication information • Sent to Service Provider, verifiable via – Front channel signed message – Back channel (SAML and OpenID 2)
  • 30. 30 Copyright ©2013 Ping Identity Corporation. All rights reserved. Response Differences • SAML 2 supports encryption – protect information from user/third parties in browser channel • Asymmetric keys support non-repudiation • OpenID 2 may require network discovery to process response – Authenticated ID != requested ID
  • 31. 31 Copyright ©2013 Ping Identity Corporation. All rights reserved. Validation of Response • Validate message is well-formed • Decrypt/validate signatures • Verify information – is it acceptable for the IDP to make these claims? • Map to any local account • Create session (and store cookie)
  • 32. 32 Copyright ©2013 Ping Identity Corporation. All rights reserved. Final Detour: Discovery 32
  • 33. 33 Copyright ©2013 Ping Identity Corporation. All rights reserved. Discovery What if you had more than one way to log in locally?
  • 34. 34 Copyright ©2013 Ping Identity Corporation. All rights reserved. IDP Discovery • Federated Web SSO – more than one Identity Provider exists – need to figure out which one to use – How to do that when you don t know who the user is yet?
  • 35. 35 Copyright ©2013 Ping Identity Corporation. All rights reserved. IDP Discovery • No perfect strategy! • Eventually, you have to either – ask user to pick from list – fail with user instructions
  • 36. 36 Copyright ©2013 Ping Identity Corporation. All rights reserved. Option #1 User picks from list of all options
  • 37. 37 Copyright ©2013 Ping Identity Corporation. All rights reserved. Option #1 • What about when you have too many options? • Identity providers may be your customers • can you publicize your customer list?
  • 38. 38 Copyright ©2013 Ping Identity Corporation. All rights reserved. Option 2 • OpenID - ask your user who they are first
  • 39. 39 Copyright ©2013 Ping Identity Corporation. All rights reserved. Option 2 • User may not know what is appropriate to type into the field – Most services aren t willing to take on user education for a new authentication system • Two-step login process • Assumes a single place to send all users matching pattern
  • 40. 40 Copyright ©2013 Ping Identity Corporation. All rights reserved. Option 3 • Cardspace had an Active Component – Knew where you could log in – Services specified their needs for an IDP
  • 41. 41 Copyright ©2013 Ping Identity Corporation. All rights reserved. Option 3 • Requiring active component to work limits adoption • Users still had to add Identity Providers – But their employer could do this for them
  • 42. 42 Copyright ©2013 Ping Identity Corporation. All rights reserved. Other options • Unique IDP per distinct URL – https://companyname.servicedomain.com • Look at source IP address as hint • Firewall/Profile adds HTTP header • Portal links hint via URL parameters • Identity-Provider-Initiated only • Must do IDP initiated once, then set cookie
  • 43. 43 Copyright ©2013 Ping Identity Corporation. All rights reserved. Account Chooser https://www.accountchooser.com/
  • 44. 44 Copyright ©2013 Ping Identity Corporation. All rights reserved. Pro Tips • Approaches typically aren t protocol specific - mix and match • Cache choice on success for use later • SAML describes sharing previous decisions across domains via browser/cookie cache – WAYF, SAML Common Domain • Make an explicit choice on fallback strategy – give user list, or fail with user instructions