SlideShare a Scribd company logo

Deciphering 'Claims-based Identity'

Oliver Pfaff
Oliver Pfaff

Claims-based identity refers to establishing a user's identity outside of an application and injecting identity information into the application in a secure manner. It allows applications to obtain authenticated user information programmatically or declaratively. While it improves the user experience and development process, claims-based identity does not solve all identity and access management use cases and some platforms require more custom work to implement it.

Technology
1 of 15
Deciphering 'Claims-based Identity' Oliver Pfaff September 13, 2014
2 Sept. 2014 - All rights reserved Preface ▶'Claims-based identity' presents an important concept. It was introduced some years ago and is well-covered –Just Google this term –Most notably: A Guide To Claims-Based Identity And Access Control (Second Edition) ▶However software product owners, application architects and developers often are puzzling about it –I happen to encounter the same questions again and again –So this is what claims-based identity means to me
3 Sept. 2014 - All rights reserved Approach ▶Create applications so that identity gets established outside the application –This refers to the identity of the current caller ▶The environment establishes and injects required identity information –This has to happen in a secure way Application request.getName()=JohnDoe Identity This is: name=JohnDoe Environment John Doe
4 Sept. 2014 - All rights reserved Blueprint Application request.getName()= JohnDoe… John Doe Identity infrastructure service <e.g. Web application> Container Identity enabling module <e.g. filter> Authentication request (without credentials) Security token Identity info User agent You – as product owner, architect, or developer One of your users Else Initial authentication
5 Sept. 2014 - All rights reserved Flavors ▶Claims-based identity comes in two flavors, economy/business – if you will –Economy: applications tell the identity infrastructure service at registration-time about their demand e.g. “I need info about age, residential address and loyalty program membership” •Provides authenticated information about the current user in push-style •Registration changes are needed to alter the set of supplied information –Business: applications tell the identity infrastructure service at runtime e.g. “I need info about marital status” •Allows applications to obtain authenticated information about the current user in pull-style (programmatically or declaratively providing the instructions on to-be-supplied claim information) •Altering the set of requested information to e.g. “Hey, I need info about marital status and the mail address” does not mandate registration changes
6 Sept. 2014 - All rights reserved Ingredients ▶In order to offer an economy solution it takes a security token object that supports application-specific contents in a versatile way –This is: name=JohnDoe, age=37, maritalStatus=divorced…. ▶To offer a business solution it also takes an authentication request object that can express application-defined instructions –I need: info about name, age, maritalStatus…
7 Sept. 2014 - All rights reserved Protocols ▶This addresses the question ‘which protocols bear the concept of claims-based identity’ for Web applications i.e. anything that relies on HTTP ▶It requires HTTP request/response exchanges that encompass a security token object capturing an event of authentication. So the shortlist is –Kerberos: specified by IETF (RFC 4559); uses Kerberos tickets as security token form-factor –SAML: specified by OASIS, uses SAML assertions –WS-Federation (passive profile): specified by OASIS; supports various security token formats –OpenID Connect: specified by OpenID Foundation; uses JSON Web Tokens –OAuth UA4C: elaborated at IETF (work-in-progress); uses JSON Web Tokens
8 Sept. 2014 - All rights reserved Fluency Economy Business Kerberos Security token is not versatile: Kerberos tickets only inform about the PrincipalName of the requestor Authentication request absent SAML Security token (saml:Assertion) is versatile Authentication request present in SAML 2.0 but does not define the expression of to- be-supplied claims information* Authentication request absent in SAML 1.x WS-Federation (passive profile) Security token can be versatile e.g. saml:Assertion** Authentication request present and supports the expression of to-be-supplied claims information: child element wst:Claims in wst:RequestSecurityToken OpenID Connect Security token (JSON Web Token) is versatile Authentication request present and supports two ways of expressing to-be- supplied claims information: - OAuth Scope values - OpenID Connect request object claims OAuth UA4C Security token (JSON Web Token) is versatile Authentication request present but does not define the expression of to-be-supplied claims information*** *: Its ‘any’ –type child element samlp:Extension supports custom content but things become proprietary **: WS-Federation does not specify security token formats. It also supports non-versatile objects e.g. Kerberos ***: OAuth Scope values might be used but UA4C does not specify their use for providing such instructions
9 Sept. 2014 - All rights reserved Stacks ▶The following addresses the question 'which stacks encompass identity enabling modules/infrastructure services for claims-based identity’ for Java (Java SE/EE) and .NET
10 Sept. 2014 - All rights reserved Fitness Economy Business Java Servlet API allows Java Web applications to access authenticated information about the current requestor (request.getRemoteUser()/ getUserPrincipal()) which is supplied by container/application extension modules. This does not specify rich representations of identity. Additional modules (IAM enabling) and custom conventions (between them and applications) are needed to supply caller identity in rich representations. Additional modules (IAM enabling) and custom conventions (between them and applications) to provide authentication requests with instructions on to-be-supplied claims. .NET Natively supported: • Identity enabling modules: WS-Federation Authentication Module (part of Windows Identity Foundation) • Identity infrastructure services: Active Directory Federation Services (on-premises), Azure Active Directory Access Control (Cloud) Natively supported (see left): instructions on to be supplied claims may be provided programmatically or declaratively
11 Sept. 2014 - All rights reserved Caveats ▶It takes two to tango: fluency of the protocol and ability of the stack –Protocols: •Economy: most shortlisted protocols are capable of doing the basic trick •Business: not all shortlisted protocols do the advanced trick –Stacks: •DIY needed for Java oNo identity enabling module for doing the trick comes off-the-shelf with Java SE/EE oCurrent servlet API does not specify the supply of caller identity in rich representations •Straight-forward with .NET oOff-the-shelf components and default recipes do exist
12 Sept. 2014 - All rights reserved Limitations ▶Claims-based identity does not solve all IAM-related use cases –Edge case: logged-in users perform operations which depend on information about other users (colleagues, buddies…) •Claims-based identity is able to cover the first part: who is the 'logged- in user’ (identifier, properties) possibly including: who are the other users (list of references) •But not the second part: what are the identities of 'other users' (their identifiers, properties). Packaging such information into security tokens issued for the primary user and binding that to an application session over-stretches typical boundary conditions –Cf. Provisioning scenarios in identity federations for more background ▶Claims-based identity does not automatically result in good IAM practices: –Applications can always come up with mySpecialUserPropertyYouDidNotAnticipateAndIRegardMandatory –Care is needed in allocating such information as well as the functionality for its maintenance in an overall IT-system
13 Sept. 2014 - All rights reserved Benefits ▶Improve user experience: facilitate consistent identity and login experience across network applications ▶Foster re-use: externalize the concern of user resp. requestor authentication, re-use its implementation across multiple applications ▶Facilitate agility: introduce new security features e.g. new authentication schemes or adaptive, context-based login without touching each individual application ▶Support new deployment models: applications that internalize initial authentication are tedious to move to the Cloud (here: IaaS, PaaS) ▶Scale application development: the number of development resources who are literate in security/IAM is out-scaled by the number of applications in need of authenticated information for their current requestor
14 Sept. 2014 - All rights reserved Conclusions ▶Claims-based identity is about the design of applications: it refers to a dependency injection concept for the ‘last mile‘ in authentication systems ▶Claims-based identity is one term for this concept: other solutions trading identity in its post-authentication form may comply with the concept without using this term ▶Claims-based identity is no one-stop-shop: IAM use cases do exist which are not covered by claims-based identity ▶Claims-based identity comes in some flavors: there is no single, one-size-fits- all approach – pull/push modes are to be distinguished ▶Claims-based identity is an unevenly distributed asset: in Java you’ll have to DIY, with .NET most stuff comes included
15 Sept. 2014 - All rights reserved Author ▶oliver.frank.pfaff@gmail.com

Recommended

SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
Danny Jessee
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
Danny Jessee
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010
Danny Jessee
 
Claims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudClaims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the Cloud
Danny Jessee
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
Danny Jessee
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
Brian Culver
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?
rlsoft
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partners
Corey Roth
 

Recommended

SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
Danny Jessee
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
Danny Jessee
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010
Danny Jessee
 
Claims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudClaims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the Cloud
Danny Jessee
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
Danny Jessee
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
Brian Culver
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?
rlsoft
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partners
Corey Roth
 
Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...
AntonioMaio2
 
SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims Auth
Kashif Imran
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
Bixlabs
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
Danny Jessee
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaication
Sean Xiong
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
Anil Saldanha
 
SharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioSharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio Maio
AntonioMaio2
 
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePointHow Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
AntonioMaio2
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
JBUG London
 
RESTful Day 5
RESTful Day 5RESTful Day 5
RESTful Day 5
Akhil Mittal
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
pigorcraveiro
 
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Gus Fraser
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise Security
WSO2
 
Leveraging SharePoint for Extranets
Leveraging SharePoint for ExtranetsLeveraging SharePoint for Extranets
Leveraging SharePoint for Extranets
Avtex
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using Claims
Volkan Uzun
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With Picketlink
Anil Saldanha
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
Vinu Gunasekaran
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
AaronLieberman5
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
WebStackAcademy
 

More Related Content

What's hot

Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...
AntonioMaio2
 
SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims Auth
Kashif Imran
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
Bixlabs
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
Danny Jessee
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaication
Sean Xiong
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
Anil Saldanha
 
SharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioSharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio Maio
AntonioMaio2
 
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePointHow Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
AntonioMaio2
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
JBUG London
 
RESTful Day 5
RESTful Day 5RESTful Day 5
RESTful Day 5
Akhil Mittal
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
pigorcraveiro
 
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Gus Fraser
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise Security
WSO2
 
Leveraging SharePoint for Extranets
Leveraging SharePoint for ExtranetsLeveraging SharePoint for Extranets
Leveraging SharePoint for Extranets
Avtex
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using Claims
Volkan Uzun
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With Picketlink
Anil Saldanha
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
Vinu Gunasekaran
 

What's hot (20)

Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...
 
SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims Auth
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaication
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
SharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioSharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio Maio
 
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePointHow Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
 
RESTful Day 5
RESTful Day 5RESTful Day 5
RESTful Day 5
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
 
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise Security
 
Leveraging SharePoint for Extranets
Leveraging SharePoint for ExtranetsLeveraging SharePoint for Extranets
Leveraging SharePoint for Extranets
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using Claims
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With Picketlink
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
 

Similar to Deciphering 'Claims-based Identity'

Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
AaronLieberman5
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
WebStackAcademy
 
Azure AD B2C Webinar Series: Custom Policies Part 1
Azure AD B2C Webinar Series: Custom Policies Part 1Azure AD B2C Webinar Series: Custom Policies Part 1
Azure AD B2C Webinar Series: Custom Policies Part 1
Vinu Gunasekaran
 
OAuth Base Camp
OAuth Base CampOAuth Base Camp
OAuth Base Camp
Oliver Pfaff
 
validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...
izzatisholehah
 
SecureDroid: An Android Security Framework Extension for Context-Aware policy...
SecureDroid: An Android Security Framework Extension for Context-Aware policy...SecureDroid: An Android Security Framework Extension for Context-Aware policy...
SecureDroid: An Android Security Framework Extension for Context-Aware policy...
Giuseppe La Torre
 
SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7
Ben Abdallah Helmi
 
SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
Ben Abdallah Helmi
 
Web security
Web securityWeb security
Web security
Padam Banthia
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web Security
Oliver Pfaff
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
Contextual Authentication: A Multi-factor Approach
Contextual Authentication: A Multi-factor ApproachContextual Authentication: A Multi-factor Approach
Contextual Authentication: A Multi-factor Approach
PortalGuard
 
IRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor AuthenticationIRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor Authentication
IRJET Journal
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
Torsten Lodderstedt
 
CIS14: Are the Enterprises Ready for Identity of Everything?
CIS14: Are the Enterprises Ready for Identity of Everything?CIS14: Are the Enterprises Ready for Identity of Everything?
CIS14: Are the Enterprises Ready for Identity of Everything?
CloudIDSummit
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
Torsten Lodderstedt
 
Review Paper On Multi-Keyword Ranked Search in Encrypted Cloud Storage
Review Paper On Multi-Keyword Ranked Search in Encrypted Cloud StorageReview Paper On Multi-Keyword Ranked Search in Encrypted Cloud Storage
Review Paper On Multi-Keyword Ranked Search in Encrypted Cloud Storage
IRJET Journal
 
A Review on Two Level Authentication Using Image Selection and Voice Recognition
A Review on Two Level Authentication Using Image Selection and Voice RecognitionA Review on Two Level Authentication Using Image Selection and Voice Recognition
A Review on Two Level Authentication Using Image Selection and Voice Recognition
IRJET Journal
 
IDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOTIDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOT
ForgeRock
 
A CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONS
A CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONSA CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONS
A CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONS
IJNSA Journal
 

Similar to Deciphering 'Claims-based Identity' (20)

Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
 
Azure AD B2C Webinar Series: Custom Policies Part 1
Azure AD B2C Webinar Series: Custom Policies Part 1Azure AD B2C Webinar Series: Custom Policies Part 1
Azure AD B2C Webinar Series: Custom Policies Part 1
 
OAuth Base Camp
OAuth Base CampOAuth Base Camp
OAuth Base Camp
 
validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...
 
SecureDroid: An Android Security Framework Extension for Context-Aware policy...
SecureDroid: An Android Security Framework Extension for Context-Aware policy...SecureDroid: An Android Security Framework Extension for Context-Aware policy...
SecureDroid: An Android Security Framework Extension for Context-Aware policy...
 
SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7
 
SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
 
Web security
Web securityWeb security
Web security
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web Security
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
Contextual Authentication: A Multi-factor Approach
Contextual Authentication: A Multi-factor ApproachContextual Authentication: A Multi-factor Approach
Contextual Authentication: A Multi-factor Approach
 
IRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor AuthenticationIRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor Authentication
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
 
CIS14: Are the Enterprises Ready for Identity of Everything?
CIS14: Are the Enterprises Ready for Identity of Everything?CIS14: Are the Enterprises Ready for Identity of Everything?
CIS14: Are the Enterprises Ready for Identity of Everything?
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
 
Review Paper On Multi-Keyword Ranked Search in Encrypted Cloud Storage
Review Paper On Multi-Keyword Ranked Search in Encrypted Cloud StorageReview Paper On Multi-Keyword Ranked Search in Encrypted Cloud Storage
Review Paper On Multi-Keyword Ranked Search in Encrypted Cloud Storage
 
A Review on Two Level Authentication Using Image Selection and Voice Recognition
A Review on Two Level Authentication Using Image Selection and Voice RecognitionA Review on Two Level Authentication Using Image Selection and Voice Recognition
A Review on Two Level Authentication Using Image Selection and Voice Recognition
 
IDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOTIDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOT
 
A CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONS
A CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONSA CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONS
A CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONS
 

More from Oliver Pfaff

Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT Security
Oliver Pfaff
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services Security
Oliver Pfaff
 
IT-Security@Contemporary Life
IT-Security@Contemporary LifeIT-Security@Contemporary Life
IT-Security@Contemporary Life
Oliver Pfaff
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
Does REST Change the Game for IAM?
Does REST Change the Game for IAM?Does REST Change the Game for IAM?
Does REST Change the Game for IAM?
Oliver Pfaff
 
Analyzing OAuth
Analyzing OAuthAnalyzing OAuth
Analyzing OAuth
Oliver Pfaff
 
Trust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityTrust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-Security
Oliver Pfaff
 
Identifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessIdentifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusiness
Oliver Pfaff
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
Oliver Pfaff
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
Oliver Pfaff
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
Oliver Pfaff
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services Federation
Oliver Pfaff
 
Unified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPUnified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAP
Oliver Pfaff
 
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Oliver Pfaff
 
Identity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareIdentity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health Care
Oliver Pfaff
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?
Oliver Pfaff
 

More from Oliver Pfaff (16)

Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT Security
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services Security
 
IT-Security@Contemporary Life
IT-Security@Contemporary LifeIT-Security@Contemporary Life
IT-Security@Contemporary Life
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
Does REST Change the Game for IAM?
Does REST Change the Game for IAM?Does REST Change the Game for IAM?
Does REST Change the Game for IAM?
 
Analyzing OAuth
Analyzing OAuthAnalyzing OAuth
Analyzing OAuth
 
Trust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityTrust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-Security
 
Identifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessIdentifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusiness
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services Federation
 
Unified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPUnified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAP
 
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
 
Identity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareIdentity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health Care
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?
 

Recently uploaded

みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Zilliz
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 

Recently uploaded (20)

みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 

Deciphering 'Claims-based Identity'

  • 1. Deciphering 'Claims-based Identity' Oliver Pfaff September 13, 2014
  • 2. 2 Sept. 2014 - All rights reserved Preface ▶'Claims-based identity' presents an important concept. It was introduced some years ago and is well-covered –Just Google this term –Most notably: A Guide To Claims-Based Identity And Access Control (Second Edition) ▶However software product owners, application architects and developers often are puzzling about it –I happen to encounter the same questions again and again –So this is what claims-based identity means to me
  • 3. 3 Sept. 2014 - All rights reserved Approach ▶Create applications so that identity gets established outside the application –This refers to the identity of the current caller ▶The environment establishes and injects required identity information –This has to happen in a secure way Application request.getName()=JohnDoe Identity This is: name=JohnDoe Environment John Doe
  • 4. 4 Sept. 2014 - All rights reserved Blueprint Application request.getName()= JohnDoe… John Doe Identity infrastructure service <e.g. Web application> Container Identity enabling module <e.g. filter> Authentication request (without credentials) Security token Identity info User agent You – as product owner, architect, or developer One of your users Else Initial authentication
  • 5. 5 Sept. 2014 - All rights reserved Flavors ▶Claims-based identity comes in two flavors, economy/business – if you will –Economy: applications tell the identity infrastructure service at registration-time about their demand e.g. “I need info about age, residential address and loyalty program membership” •Provides authenticated information about the current user in push-style •Registration changes are needed to alter the set of supplied information –Business: applications tell the identity infrastructure service at runtime e.g. “I need info about marital status” •Allows applications to obtain authenticated information about the current user in pull-style (programmatically or declaratively providing the instructions on to-be-supplied claim information) •Altering the set of requested information to e.g. “Hey, I need info about marital status and the mail address” does not mandate registration changes
  • 6. 6 Sept. 2014 - All rights reserved Ingredients ▶In order to offer an economy solution it takes a security token object that supports application-specific contents in a versatile way –This is: name=JohnDoe, age=37, maritalStatus=divorced…. ▶To offer a business solution it also takes an authentication request object that can express application-defined instructions –I need: info about name, age, maritalStatus…
  • 7. 7 Sept. 2014 - All rights reserved Protocols ▶This addresses the question ‘which protocols bear the concept of claims-based identity’ for Web applications i.e. anything that relies on HTTP ▶It requires HTTP request/response exchanges that encompass a security token object capturing an event of authentication. So the shortlist is –Kerberos: specified by IETF (RFC 4559); uses Kerberos tickets as security token form-factor –SAML: specified by OASIS, uses SAML assertions –WS-Federation (passive profile): specified by OASIS; supports various security token formats –OpenID Connect: specified by OpenID Foundation; uses JSON Web Tokens –OAuth UA4C: elaborated at IETF (work-in-progress); uses JSON Web Tokens
  • 8. 8 Sept. 2014 - All rights reserved Fluency Economy Business Kerberos Security token is not versatile: Kerberos tickets only inform about the PrincipalName of the requestor Authentication request absent SAML Security token (saml:Assertion) is versatile Authentication request present in SAML 2.0 but does not define the expression of to- be-supplied claims information* Authentication request absent in SAML 1.x WS-Federation (passive profile) Security token can be versatile e.g. saml:Assertion** Authentication request present and supports the expression of to-be-supplied claims information: child element wst:Claims in wst:RequestSecurityToken OpenID Connect Security token (JSON Web Token) is versatile Authentication request present and supports two ways of expressing to-be- supplied claims information: - OAuth Scope values - OpenID Connect request object claims OAuth UA4C Security token (JSON Web Token) is versatile Authentication request present but does not define the expression of to-be-supplied claims information*** *: Its ‘any’ –type child element samlp:Extension supports custom content but things become proprietary **: WS-Federation does not specify security token formats. It also supports non-versatile objects e.g. Kerberos ***: OAuth Scope values might be used but UA4C does not specify their use for providing such instructions
  • 9. 9 Sept. 2014 - All rights reserved Stacks ▶The following addresses the question 'which stacks encompass identity enabling modules/infrastructure services for claims-based identity’ for Java (Java SE/EE) and .NET
  • 10. 10 Sept. 2014 - All rights reserved Fitness Economy Business Java Servlet API allows Java Web applications to access authenticated information about the current requestor (request.getRemoteUser()/ getUserPrincipal()) which is supplied by container/application extension modules. This does not specify rich representations of identity. Additional modules (IAM enabling) and custom conventions (between them and applications) are needed to supply caller identity in rich representations. Additional modules (IAM enabling) and custom conventions (between them and applications) to provide authentication requests with instructions on to-be-supplied claims. .NET Natively supported: • Identity enabling modules: WS-Federation Authentication Module (part of Windows Identity Foundation) • Identity infrastructure services: Active Directory Federation Services (on-premises), Azure Active Directory Access Control (Cloud) Natively supported (see left): instructions on to be supplied claims may be provided programmatically or declaratively
  • 11. 11 Sept. 2014 - All rights reserved Caveats ▶It takes two to tango: fluency of the protocol and ability of the stack –Protocols: •Economy: most shortlisted protocols are capable of doing the basic trick •Business: not all shortlisted protocols do the advanced trick –Stacks: •DIY needed for Java oNo identity enabling module for doing the trick comes off-the-shelf with Java SE/EE oCurrent servlet API does not specify the supply of caller identity in rich representations •Straight-forward with .NET oOff-the-shelf components and default recipes do exist
  • 12. 12 Sept. 2014 - All rights reserved Limitations ▶Claims-based identity does not solve all IAM-related use cases –Edge case: logged-in users perform operations which depend on information about other users (colleagues, buddies…) •Claims-based identity is able to cover the first part: who is the 'logged- in user’ (identifier, properties) possibly including: who are the other users (list of references) •But not the second part: what are the identities of 'other users' (their identifiers, properties). Packaging such information into security tokens issued for the primary user and binding that to an application session over-stretches typical boundary conditions –Cf. Provisioning scenarios in identity federations for more background ▶Claims-based identity does not automatically result in good IAM practices: –Applications can always come up with mySpecialUserPropertyYouDidNotAnticipateAndIRegardMandatory –Care is needed in allocating such information as well as the functionality for its maintenance in an overall IT-system
  • 13. 13 Sept. 2014 - All rights reserved Benefits ▶Improve user experience: facilitate consistent identity and login experience across network applications ▶Foster re-use: externalize the concern of user resp. requestor authentication, re-use its implementation across multiple applications ▶Facilitate agility: introduce new security features e.g. new authentication schemes or adaptive, context-based login without touching each individual application ▶Support new deployment models: applications that internalize initial authentication are tedious to move to the Cloud (here: IaaS, PaaS) ▶Scale application development: the number of development resources who are literate in security/IAM is out-scaled by the number of applications in need of authenticated information for their current requestor
  • 14. 14 Sept. 2014 - All rights reserved Conclusions ▶Claims-based identity is about the design of applications: it refers to a dependency injection concept for the ‘last mile‘ in authentication systems ▶Claims-based identity is one term for this concept: other solutions trading identity in its post-authentication form may comply with the concept without using this term ▶Claims-based identity is no one-stop-shop: IAM use cases do exist which are not covered by claims-based identity ▶Claims-based identity comes in some flavors: there is no single, one-size-fits- all approach – pull/push modes are to be distinguished ▶Claims-based identity is an unevenly distributed asset: in Java you’ll have to DIY, with .NET most stuff comes included
  • 15. 15 Sept. 2014 - All rights reserved Author ▶oliver.frank.pfaff@gmail.com