This document discusses key considerations for cloud identity management. It covers consumer and enterprise identity models, standards like SCIM, SAML, OAuth and OpenID Connect, and challenges of integrating on-premises and cloud-based identity systems. Identity needs vary based on organization size and whether the use case involves consumers, enterprises or IoT. Usability, analytics, and risk-based authentication are also important considerations.

1. Cloud Identity Management
Morteza Ansari (linkedin.com/in/mortezaansari)

3. POLICY
PROVISIONING /
LIFE CYCLE
AUTHENTICATION
AUTHORIZATIONENTITLEMENTS
IDENTITY
MANAGEMENT

4. Consumer Identity
• Huge scale and potential rapid growth
• FB >1.3B active users
• Instagram 150M active users in less than 3 years
• Self managed identity
• Simple namespace
• Identity won’t drive adoption, but could hamper it
• Must deal with recovery & credential management

5. Enterprise Identity
• Centrally managed/controlled
• Role based entitlements & authorization
• Demand more complex security policies
• Federation is very high priority
• Namespace complexity
• Multiple identifiers
• Account/tenant validation could be tricky
• Join/Split

6. Mix of Consumer & Enterprise
• How does transfer of control pan out
• Consumer -> enterprise
• Enterprise -> consumer (?)
• Who owns data associated with the identity?
• Namespace is even more complex
• Account recovery
• Multiple identifiers
• …

7. On-prem to Cloud
Enterprise
IdM
Cloud
On1Prem
Enterprise
IdP
Iden4ty6
Connector
SaaS

8. Cloud to Cloud
Enterprise
IdM
Cloud
On1Prem
Enterprise
IdP
Iden4ty6
Connector
IDaaS
SaaS2
SaaS1

9. SaaS Internal Abstraction
Enterprise
IdM
Cloud
On1Prem
Enterprise
IdP
Iden4ty6
Connector
SaaS
On-Prem Connector
IDaaS Bridge
Internal
Service1 Service2 Service3

10. Hybrid

11. Org Size 1 300 5K 100K
Provisioning /
De-provisioning
Authentication
Authorization
Core Functionality
Manual
Connector
SCIM
Local Credentials/OTP/Two Factor
Authentication Connector
SAML IdP
OAuth
OpenID Connect

12. Identity Requirements
Enterprise Consumer IoT
Scale 10-1M 1M-7B 50-100B
Identity Provider SaaS, On-prem,
or cloud IdP
SaaS, Social Everywhere!!!
Policy Enterprise IT Self managed Everywhere!!!
Identities Users, Groups,
Devices, Apps
Users, Apps/
Devices
Users, Devices,
Gateways, Apps,
Controllers, …

13. Standards
• SCIM
• SAML
• OAuth2 & extensions
• OpenID Connect
• Native Apps

14. What is SCIM?
• Simple Cloud Identity Management è System for Cross domain Identity
Management
• Set of pre-defined schema – Users & Groups
• RESTful API definition
• CRUD
• Bulk operations
• Search
• Discovery
• Extension semantics (limited in 1.x)
• Support for complex data models
• SIMPLE!!!

15. Schema
• Rich information model
• XML & JSON data models
• Concrete artifacts
• Users & Groups
• Usage semantics
• MTI & recommended
• Extensibility
• Enterprise User
Resource
Core ResourceServiceProviderConfig Schema
id,$meta
GroupUser
Enterprise User
externalId

16. Operations
• Discovery
• Create = POST https://example.com/{v}/{resource}
• Read = GET https://example.com/{v}/{resource}/{id}
• Update = PUT https://example.com/{v}/{resource}/{id}
• Delete = DELETE https://example.com/{v}/{resource}/{id}
• Update = PATCH https://example.com/{v}/{resource}/{id}
• Search = https://example.com/{v}/{resource}? filter={attribute} {op}
{value} & sortBy={attributeName} & sortOrder={ascending|descending}
• Bulk

17. Create Request
POST /v1/Users HTTP/1.1
Host: example.com
Accept: application/json
Authorization: Bearer h480djs93hd8
{
"schemas": ["urn:scim:schemas:core:1.0"],
"externalId": "bjensen",
"userName":"bjensen",
"name": {
"familyName": "Jensen",
"givenName": "Barbara"
}
}
Operation Resource Type
Format AuthZ
“User” Payload

18. Create Response
HTTP/1.1 201 Created
Content-Type: application/json
Location: https://example.com/v1/Users/281...
ETag: W/"e180ee84f0671b1"
{`
"schemas": ["urn:scim:schemas:core:1.0"],
"id": "2819c223-7f76-453a-919d-413861904646",
"externalId": "bjensen",
"meta": {
"created": "2011-08-01T21:32:44.882Z",
"lastModified": "2011-08-01T21:32:44.882Z",
"location": "https://example.com/v1/Users/281...",
"version": "W/"e180ee84f0671b1""
},
"name":{
"familyName":"Jensen",
"givenName":"Barbara"
},
"userName":"bjensen"
}
Result code
Format
“Permalink”
SP generated ID

19. SAML
• Security Assertion Markup Language
• XML Based protocol
• Oasis standard, 2.0 2005
• Most common enterprise federation
• SP or IdP initiated flows
• Web Browser SSO is most common
IdP
Service
Provider
Trust
User
Service,
Request
Authen2ca2on

20. AuthN vs. AuthZ

21. AuthN vs. AuthZ

22. What is OAuth?
• A token based service for authorization to resources
• IETF standard – RFC6749, RFC6750
• Typically has a RESTful binding, always HTTP
• Removes passwords from resource access
• Separate token issuance from resources
• Supports multiple flows to obtain access tokens
• OAuth is not an authentication service

23. OAuth Example – 1st Time Access
AuthoriZation
Trust
Web Browser
AutheNtication
Resource
Web App 1. I need the
authorization to change
Homer’s avatar
2. Is this really
Homer?
5. It is
Homer
8. You may change
Homer’s preferences
(access token)
6. Homer, you
cool with this?7. Yep!
9. I need to change Homer’s
avatar (access token)
3. Please enter your username
and password
10. Is access
authorized?
4. HomerJS
1234
11. Access is
authorized

24. OAuth Example – 2nd, 3rd, 4th… Times
AuthoriZation
Trust
Web Browser
AutheNtication
Resource
Web App 2. Is access
authorized?
3. Access is
authorized
1. I need to change
Homer’s avatar (access
token)

25. OpenID Connect
• Nothing to do with OpenID!
• Based on OAuth2
• Adds Identity token, session management, UserInfo
endpoint, …
• Rapidly being adopted
• Will likely replace SAML

26. Additional Considerations

27. Additional Considerations
• Usability is paramount
• Analytics is key
• “Acceptable” changes overtime

28. Additional Considerations
* Shamelessly “borrowed” from Mark Diodati’s slides

29. Additional Considerations
* Shamelessly “borrowed” from Mark Diodati’s slides

30. Additional Considerations
• Risk based AuthN/AuthZ
• Don’t forget Device, and App identity
• Multiple services è Service identity/entitlement
• Anonymous identity, guest
• Session distribution

32. Resources
• IETF SCIM WG
• http://simplecloud.info
• IETF OAuth WG
• http://oauth.net
• OpenID Connect
• Native Apps WG
• Internet Identity Workshop