The document discusses identity and access management trends from the past to present to future. It covers the history of passwords and early single sign-on systems. It then summarizes key standards and protocols like SAML, OAuth, OpenID Connect, and FIDO. It discusses how these have enabled single sign-on to SaaS applications and stronger authentication. Emerging trends discussed include biometrics, token binding, and mobile devices playing a role in authentication.
What to Expect in 2016: Top 5 Predictions for Security and Access ControlSecureAuth
SecureAuth and special guest Forrester Research discuss the trends and strategies that will help you boost security and protect your organization from access threats. In this session, you will hear from Forrester's Andras Cser as he shares the top 5 information security and access control trends to watch for in 2016 and how they will impact your organization. Additionally, Keith Graham, CTO from SecureAuth, will present effective strategies to stay ahead of these trends and protect against advanced cyber attacks with adaptive authentication.
Identity Management Over the Horizon: What’s New and What’s NextENow Software
Microsoft is continually pumping changes into its cloud services. One of the biggest sets of changes revolves around Azure Active Directory (AAD), the core identity service that Microsoft hopes to someday use to replace on-premises Active Directory. AAD is a key part of Office 365, but it has many other capabilities too. In this webinar, Microsoft Exchange MVP Paul Robichaux will cover:
- The various editions of AAD.
- What they do and don’t do
- How you can effectively use them as part of your overall identity management strategy for user authentication, federation, and access to cloud services.
To help organizations identify identity and access management (IAM) solutions that are both comprehensive and cost-effective, leading industry analyst firm Enterprise Management Associates (EMA) has conducted primary research on current and emerging IAM challenges, requirements, and solutions.
Get key results from this new research when you check out this presentation.
“Are we secure?” It’s the most dreaded question that information security and risk management professionals need to answer. Compliance is a useful starting point, but the number of “compliant” organizations who still suffered a data breach is proof positive that compliance simply isn’t enough. That’s where maturity models come into play. In this presentation, I’ll show you how to apply a capability maturity model (CMM) to your identity and access management (IAM) program, using that model to assess where you are today. I’ll also share tools and techniques you can use to accelerate improvements to your program.
What to Expect in 2016: Top 5 Predictions for Security and Access ControlSecureAuth
SecureAuth and special guest Forrester Research discuss the trends and strategies that will help you boost security and protect your organization from access threats. In this session, you will hear from Forrester's Andras Cser as he shares the top 5 information security and access control trends to watch for in 2016 and how they will impact your organization. Additionally, Keith Graham, CTO from SecureAuth, will present effective strategies to stay ahead of these trends and protect against advanced cyber attacks with adaptive authentication.
Identity Management Over the Horizon: What’s New and What’s NextENow Software
Microsoft is continually pumping changes into its cloud services. One of the biggest sets of changes revolves around Azure Active Directory (AAD), the core identity service that Microsoft hopes to someday use to replace on-premises Active Directory. AAD is a key part of Office 365, but it has many other capabilities too. In this webinar, Microsoft Exchange MVP Paul Robichaux will cover:
- The various editions of AAD.
- What they do and don’t do
- How you can effectively use them as part of your overall identity management strategy for user authentication, federation, and access to cloud services.
To help organizations identify identity and access management (IAM) solutions that are both comprehensive and cost-effective, leading industry analyst firm Enterprise Management Associates (EMA) has conducted primary research on current and emerging IAM challenges, requirements, and solutions.
Get key results from this new research when you check out this presentation.
“Are we secure?” It’s the most dreaded question that information security and risk management professionals need to answer. Compliance is a useful starting point, but the number of “compliant” organizations who still suffered a data breach is proof positive that compliance simply isn’t enough. That’s where maturity models come into play. In this presentation, I’ll show you how to apply a capability maturity model (CMM) to your identity and access management (IAM) program, using that model to assess where you are today. I’ll also share tools and techniques you can use to accelerate improvements to your program.
Identity Management for the 21st Century IT MissionCA API Management
The 21st century mission is dependent on providing secure and agile access to information across an increasing range of stakeholders, both internal and external to your agency. This comes amidst evolving IT missions, budget challenges, a complete IT compliance landscape and an increased need for rapidly deployable and flexible solutions.
This webinar explores integrated identity management solutions and real life use case examples.
Presented By
• Stephanie McVitty - Account Manager, Compsec
• Paul Grassi - Vice President of Federal Programs, Sila Solutions Group
• Jim Rice - Vice President of Federal, Layer 7
• Dieter Schuller - VP of Sales, Radiant Logic
• Phil McQuitty - Director of Systems Engineering, Sailpoint
• Gerry Gebel - President, Axiomatics Americas
50 data principles for loosely coupled identity management v1 0Ganesh Prasad
In the field of Identity and Access Management (IAM), Data is more important than Technology. A poorly designed data model can cause an IAM initiative to fail even with massive investments in technology products. Yet Data usually receives only superficial treatment, and many practitioners seem unaware of the basic principles to follow when designing Identity-based systems.
This presentation is a succinct summarisation of 50 data-related principles that an organisation overlooks at its peril.
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...CA Technologies
Protecting today’s cloud-based, mobile enterprise requires a new approach – one that focuses on secure identity and access management (IAM), while at the same time driving two critical imperatives:
Learn how to enable business growth by:
• Quickly deploying new online services
• Leveraging new advances in cloud computing and virtualization
• Accommodating the needs of demanding, tech-savvy users
(i.e., customers, partners, employees, etc.)
• Driving greater employee productivity and increasing business intelligence
Protect the business by:
• Mitigating the risk of fraud, breaches, insider threats and improper access – from both internal and external sources
• Safeguarding critical systems, applications and data
Download the eBook today to learn more.
Cybersecurity Identity and Access Management applies to the security architecture and disciplines for digital identity management. It governs the duties and access rights shared with individual customers and the conditions under which such privileges are permitted or refused.
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...Ryan Gallavin
PIM, PAM and PUM have different meanings, and interpretations, to different people. For the most part the concepts around these three far-ranging topics intersect, and for the most part we are talking about the same thing. PIM, privileged identity management; PUM, privileged user management; and PAM, privileged account management OR privileged access management. All three of these acronyms revolve around a few simple concepts: who can get to a server, how they can get to a server and what they can do when they get there.
CIS13: Avoiding the Pitfalls of Managing IAM for a Hybrid EnvironmentCloudIDSummit
Chris Bauserman, Senior Director of Product Marketing, Cloud and SaaS, SailPoint
This session will discuss how next-generation IAM strategies can holistically address the security and compliance requirements of mission-critical applications and data that span an enterprise's data center, cloud and mobile environments.
Chris Bauserman will also provide technical insights to help attendees answer these questions:
· How do I provide full account lifecycle management?
· How do I ensure consistency across provisioning and runtime access?
· How do I provide a single-point for end user self-service?
· How do I efficiently and securely manage a bridge to on-prem IT?
· How do I implement audit, governance and compliance?
Building an Effective Identity Management StrategyNetIQ
Very few organizations do identity management as effectively as they could.
They have trouble developing effective methods for provisioning new users, de-provisioning old users, updating access privileges as users move around the organization, and automating the user change and configuration processes.
This presentation by identity and access management (IAM) experts, Adrian Lane, CTO and analyst at Securosis, and Rick Wagner, director of product management at NetIQ covered key elements of building a strong IAM strategy and the leading industry practices behind those strategies.
Originally presented as a UBM TechWeb DarkReading webinar the on-demand version will be available at: http://bit.ly/UUABIz until July 1st 2013.
Identity and Access Management (IAM) is a crucial part of living in a connected world. It involves managing multiple identities of an individual or entity, distributed across disparate portals. In an enterprise, IAM solutions serve as a mean to secure access, control user activities and manage authentication for an App or a group of software (infrastructure).
This detailed PowerPoint brings you the most fundamental concepts and ideas related to identity and access management. Plus, we have debunked some popular IAM myths, so do checkout!
The Essentials | Privileged Access ManagementRyan Gallavin
SSH is nearly ubiquitous in today’s enterprises, and is the predominant tool for managing unix and linux servers, and the applications and data that they host. Poor practices around the deployment and management of the SSH infrastructure could easily leave your enterprise vulnerable to a breach. Are you in control?
Sailpoint Training is an innovative identity management solution. Best Sailpoint IdentityIQ Online Training gives sailpoint 7.1 version & corporate training
Evolveum: All you need to know about identity & access managementEvolveum
On these 15 slides, we will explain you what identity & access management is, how it is used and we will also mention 4 major categories of IAM components.
OAuth 2.0 Token Exchange: An STS for the REST of UsBrian Campbell
From the 2016 Cloud Identity Summit:
Complete with the requisite bad jokes and gratuitous photography, this session will provide an introduction to an emerging new protocol for a lightweight HTTP- and JSON- based Security Token Service built on OAuth 2.0. The presenter, Brian Campbell, is a long time veteran of the CIS speaking circuit who peaked in 2013 when Vittorio Bertocci tweeted about his session, "I love @__b_c presentations :-) hilarious & very informative!" Attendees expecting this session to live up to that will be sorely disappointed but are encouraged to come nonetheless.
Identity Management for the 21st Century IT MissionCA API Management
The 21st century mission is dependent on providing secure and agile access to information across an increasing range of stakeholders, both internal and external to your agency. This comes amidst evolving IT missions, budget challenges, a complete IT compliance landscape and an increased need for rapidly deployable and flexible solutions.
This webinar explores integrated identity management solutions and real life use case examples.
Presented By
• Stephanie McVitty - Account Manager, Compsec
• Paul Grassi - Vice President of Federal Programs, Sila Solutions Group
• Jim Rice - Vice President of Federal, Layer 7
• Dieter Schuller - VP of Sales, Radiant Logic
• Phil McQuitty - Director of Systems Engineering, Sailpoint
• Gerry Gebel - President, Axiomatics Americas
50 data principles for loosely coupled identity management v1 0Ganesh Prasad
In the field of Identity and Access Management (IAM), Data is more important than Technology. A poorly designed data model can cause an IAM initiative to fail even with massive investments in technology products. Yet Data usually receives only superficial treatment, and many practitioners seem unaware of the basic principles to follow when designing Identity-based systems.
This presentation is a succinct summarisation of 50 data-related principles that an organisation overlooks at its peril.
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...CA Technologies
Protecting today’s cloud-based, mobile enterprise requires a new approach – one that focuses on secure identity and access management (IAM), while at the same time driving two critical imperatives:
Learn how to enable business growth by:
• Quickly deploying new online services
• Leveraging new advances in cloud computing and virtualization
• Accommodating the needs of demanding, tech-savvy users
(i.e., customers, partners, employees, etc.)
• Driving greater employee productivity and increasing business intelligence
Protect the business by:
• Mitigating the risk of fraud, breaches, insider threats and improper access – from both internal and external sources
• Safeguarding critical systems, applications and data
Download the eBook today to learn more.
Cybersecurity Identity and Access Management applies to the security architecture and disciplines for digital identity management. It governs the duties and access rights shared with individual customers and the conditions under which such privileges are permitted or refused.
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...Ryan Gallavin
PIM, PAM and PUM have different meanings, and interpretations, to different people. For the most part the concepts around these three far-ranging topics intersect, and for the most part we are talking about the same thing. PIM, privileged identity management; PUM, privileged user management; and PAM, privileged account management OR privileged access management. All three of these acronyms revolve around a few simple concepts: who can get to a server, how they can get to a server and what they can do when they get there.
CIS13: Avoiding the Pitfalls of Managing IAM for a Hybrid EnvironmentCloudIDSummit
Chris Bauserman, Senior Director of Product Marketing, Cloud and SaaS, SailPoint
This session will discuss how next-generation IAM strategies can holistically address the security and compliance requirements of mission-critical applications and data that span an enterprise's data center, cloud and mobile environments.
Chris Bauserman will also provide technical insights to help attendees answer these questions:
· How do I provide full account lifecycle management?
· How do I ensure consistency across provisioning and runtime access?
· How do I provide a single-point for end user self-service?
· How do I efficiently and securely manage a bridge to on-prem IT?
· How do I implement audit, governance and compliance?
Building an Effective Identity Management StrategyNetIQ
Very few organizations do identity management as effectively as they could.
They have trouble developing effective methods for provisioning new users, de-provisioning old users, updating access privileges as users move around the organization, and automating the user change and configuration processes.
This presentation by identity and access management (IAM) experts, Adrian Lane, CTO and analyst at Securosis, and Rick Wagner, director of product management at NetIQ covered key elements of building a strong IAM strategy and the leading industry practices behind those strategies.
Originally presented as a UBM TechWeb DarkReading webinar the on-demand version will be available at: http://bit.ly/UUABIz until July 1st 2013.
Identity and Access Management (IAM) is a crucial part of living in a connected world. It involves managing multiple identities of an individual or entity, distributed across disparate portals. In an enterprise, IAM solutions serve as a mean to secure access, control user activities and manage authentication for an App or a group of software (infrastructure).
This detailed PowerPoint brings you the most fundamental concepts and ideas related to identity and access management. Plus, we have debunked some popular IAM myths, so do checkout!
The Essentials | Privileged Access ManagementRyan Gallavin
SSH is nearly ubiquitous in today’s enterprises, and is the predominant tool for managing unix and linux servers, and the applications and data that they host. Poor practices around the deployment and management of the SSH infrastructure could easily leave your enterprise vulnerable to a breach. Are you in control?
Sailpoint Training is an innovative identity management solution. Best Sailpoint IdentityIQ Online Training gives sailpoint 7.1 version & corporate training
Evolveum: All you need to know about identity & access managementEvolveum
On these 15 slides, we will explain you what identity & access management is, how it is used and we will also mention 4 major categories of IAM components.
OAuth 2.0 Token Exchange: An STS for the REST of UsBrian Campbell
From the 2016 Cloud Identity Summit:
Complete with the requisite bad jokes and gratuitous photography, this session will provide an introduction to an emerging new protocol for a lightweight HTTP- and JSON- based Security Token Service built on OAuth 2.0. The presenter, Brian Campbell, is a long time veteran of the CIS speaking circuit who peaked in 2013 when Vittorio Bertocci tweeted about his session, "I love @__b_c presentations :-) hilarious & very informative!" Attendees expecting this session to live up to that will be sorely disappointed but are encouraged to come nonetheless.
Identity and Access Management from Microsoft and Razor TechnologyDavid J Rosenthal
63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 Data Breach Report)
More than 80% of employees admit using non-approved SaaS apps for work purposes (Stratecast, December 2013)
0.6% global IT spend increase. http://www.gartner.com/newsroom/id/3186517
IT cannot afford to live in the past. Successful businesses of today (and tomorrow) realize the power of mobility to support employee productivity and collaboration. You need to prepare to mitigate the risks of providing freedom and space to your employees. You need to meet compliance and regulatory standards, maintain company security policies and requirements, and detect threats — all the while giving workers a better and more productive experience, so that they’re motivated to follow protocol. You need an enterprise mobility partner that can help you achieve all of this, so that everyone is a winner, and your business stays out of the headlines.
Microsoft’s vision includes management and protection across four key layers: users, device, app, and data – for both your employees, business partners, and customers.
Our strategy is to ensure management across these layers while ensuring your employees, business partners, and customers by providing access to everything they need from everything; protecting corporate data across email and collaboration apps all while integrating these new capabilities with what customers already have like Active Directory and System Center.
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
Learn how AWS IAM enables you to control who can do what in your AWS environment. We discuss how IAM provides flexible access control that helps you maintain security while adapting to your evolving business needs. Wel review how to integrate AWS IAM with your existing identity directories via identity federation. We outline some of the unique challenges that make providing IAM for the cloud a little different. And throughout the presentation, we highlight recent features that make it even easier to manage the security of your workloads on the cloud.
This session introduces the concepts of AWS Identity and Access Management (IAM) and walks through the tools and strategies you can use to control access to your AWS environment. We describe IAM users, groups, and roles and how to use them. We demonstrate how to create IAM users and roles, and grant them various types of permissions to access AWS APIs and resources.
Спецвипуск бібліографічного бюлетеня бібліотеки присвячено аналітичному огляду статей з журналу "Підприємництво, Господарство. Право", №№ 11-12 2016 рік
Finding Key Influencers and Viral Topics in Twitter Networks Related to ISIS ...Steve Kramer
Paragon Science used a combination of network analysis, community detection, topic detection, sentiment analysis, and anomaly detection to find key influencers and viral topics in two recent Twitter data sets: one of 7.9 M tweets regarding ISIS and a second set consisting of 13 M tweets about the recent primary elections.
This presentation from GlobalCAST Resources highlights some principles that can guide missions mobilization. We explore mobilization that does not resort to tactics like manipulation. Here we seek to apply community development principles to missions mobilization and ask the question what does mobilization out of the tree of life look like?
This session will give an overview of Identity and Access Management to serve as a mildly entertaining refresher or introduction to help set the stage for the rest of the week. We'll look at some of IAM's past, present, and future and cover industry standards like SAML, OAuth, FIDO, OIDC, and some other acronyms.
Securing Web Applications with Token AuthenticationStormpath
In this presentation, Java Developer Evangelist Micah Silverman demystifies HTTP Authentication and explains how the Next Big Thing - Token Authentication - can be used to secure web applications on the JVM, REST APIs, and 'unsafe' clients while supporting security best practices and even improving your application's performance and scale.
Topics Covered:
Security Concerns for Modern Web Apps
Cross-Site Scripting Prevention
Working with 'Untrusted Clients'
Securing API endpoints
Cookies
Man in the Middle (MitM) Attacks
Cross-Site Request Forgery
Session ID Problems
Token Authentication
JWTs
Working with the JJWT library
End-to-end example with Spring Boot
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
With new tools like Angular.js and Node.js, it is easier than ever to build User Interfaces and Single-Page Applications (SPAs) backed by APIs.
But how to do it securely? Web browsers are woefully insecure, and hand-rolled APIs are risky.
In this presentation, Robert Damphousse, lead front-end developer at Stormpath, covers web browser security issues, technical best practices and how you can mitigate potential risks. Enjoy!
Topics Covered:
1. Security Concerns for Modern Web Apps
2. Cookies, The Right Way
3. Session ID Problems
4. Token Authentication to the rescue!
5. Angular Examples
Token Authentication for Java ApplicationsStormpath
Everyone building a web application that supports user login is concerned with security. How do you securely authenticate users and keep their identity secure? With the huge growth in Single Page Applications (SPAs), JavaScript and mobile applications, how do you keep users safe even though these are 'unsafe' client environments?
This presentation will demystify HTTP Authentication and explain how the Next Big Thing - Token Authentication - can be used to secure web applications on the JVM, REST APIs, and 'unsafe' clients while supporting security best practices and even improving your application's performance and scale.
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
A free application security class delivered by world renowned experts: Eoin Keary and Jim Manico.
This class has been delivered to over 1000 people in 2014 alone.
[4developers2016] - Security in the era of modern applications and services (...PROIDEA
Security is hard. Old days are over and it requires way more then providing login form, comparing password hash and maintaining HTTP session. With the raise of mobile and client side apps, (micro) services and APIs it has become a fairly complex topic. At the same time with security breaches hitting the news on the monthly basis it is everyone's concern. Being an area every developer or architect needs to understand very well. Thankfully a number of modern standards and solutions emerged to help with current challenges. During this talk you will learn how to approach typical security needs using modern token based security and standards like OAuth2, OpenID Connect or SAML. We’ll discuss wide variety of security related topics around multi factor authentication or identity federation and brokering . You will also learn how you can leverage modern open source identity and access management solutions in your applications.
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
"Through cooperation between browser vendors and standards bodies in the recent past, numerous standards have been created to enforce stronger client-side control for web applications. As web appsec practitioners continue to shift from mitigating vulnerabilities to implementing proactive controls, each new standard adds another layer of defense for attack patterns previously accepted as risks. With the most basic controls complete, attention is shifting toward mitigating more complex threats. As a result of the drive to control for these threats client-side, standards such as SubResource Integrity (SRI), Content Security Policy (CSP), and HTTP Public Key Pinning (HPKP) carry larger implementation risks than others such as HTTP Strict Transport Security (HSTS). Builders supporting legacy applications actively make trade-offs between implementing the latest standards versus accepting risks simply because of the increased risks newer web standards pose.
In this talk, we'll strictly explore the risks posed by SRI, CSP, and HPKP; demonstrate effective mitigation strategies and compromises which may make these standards more accessible to builders and defenders supporting legacy applications; as well as examine emergent properties of standards such as HPKP to cover previously unforeseen scenarios. As a bonus for the breakers, we'll explore and demonstrate exploitations of the emergent risks in these more volatile standards, to include multiple vulnerabilities uncovered quite literally during our research for this talk (which will hopefully be mitigated by d-day)."
(Source: Black Hat USA 2016, Las Vegas)
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
The web is moving towards a 100% Encrypted Web—but can we get it, right? Understanding the surge in use of https for malware and phishing, the renewed importance of revocation checking, the role of browser UI design in protecting users, the renewed importance of identity in TLS certificates, and the latest industry studies and initiatives for a safer Internet.
"Crypto wallets security. For developers", Julia PotapenkoFwdays
From a security perspective, cryptocurrency wallets are just applications. Similar to banking apps, wallets operate users’ funds and allow making transactions. But are they as secure as banking apps? Let’s talk about the risks and threats of crypto wallets, then move to design concerns and implementation issues. What types of data should be protected? What are the most common vulnerabilities? And why encrypting data is not as trivial as it may seem?
Join Stormpath Developer Evangelist, Robert Damphousse, to dive deep into browser security. Robert will explain how Session IDs, Man in the Middle (MITM), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF) attacks work, and how to use cookies to support security best practices.
Topics Covered:
- Security concerns for modern web apps
- Cookies, the right way
- MITM, XSS, and CSRF attacks
- Session ID problems
- Examples in an Angular app
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Amazon Web Services
The daily volume of cyberattacks that target applications and the frequency of associated breaches is overwhelming to even the most experienced security professionals. We cover important lessons learned from F5 Labs’ analysis of global attack data and breach root causes that are attributed to application threats. This helps you understand attackers’ top targets and motives and the changing application security landscape of systems used to launch application attacks. Addressing these threats requires practical controls that organizations can be successful with. We offer tips and tricks that you can work on immediately to address common application threats and appropriately prioritize your application security controls.
This presentation was used in OWASP Taiwan Week 2017 at Taipei & Kaohsiung. It talks about what Cross Site Request Forgery is, what are different ways to prevent it. And how it can be mitigated with OWASP CSRF Protector with just two lines of codes.
Is your mobile app as secure as you think?Matt Lacey
Slides from talks at DunDDD and NDCLondon.
News stories of security vulnerabilities in mobile apps are becoming more common and their impact risks affecting more and more business and consumers. It doesn't have to be this way.
There are solutions to all the common security issues in mobile but sometimes we need to be made aware of what the issues are and how they can be prevented.
That's what I'll show in this talk. I'll draw on more than twelve years personal experience building apps for a wide variety of industries and the accumulated knowledge of the OWASP Mobile Security. We'll look at some examples of the common security mistakes apps on iOS, Android and Windows have made and then show practical examples of how to address the issues.
You'll leave this session wanting to review the security of your mobile apps but armed with the knowledge to make improvements and fix some security holes.
RESTful APIs,SOAP APIs, Proprietary APIs, protocols beyond APIs, OAuth for Authentication, Federated Authorization Servers across security domains, Token Translation between SAML and JWT, SSO across native applications, all running across Windows desktops and Android mobile computing platforms…and the glue to tie all that together? Are you kidding? A technical chat on a real-life case study of a small but dedicated band of engineers’ attempts to harmonize identity in a very un-harmonized world.
Similar to Identity and Access Management - RSA 2017 Security Foundations Seminar (20)
Token Binding is a new IETF protocol enabling strong cryptographic defenses against the use of stolen security tokens. This session will provide a technical overview of how Token Binding works and its application to session cookies and higher level protocols like OpenID Connect and OAuth. Bad jokes and gratuitous photography will be included to take the edge off the otherwise very nerdy content.
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBrian Campbell
The overwhelming majority of security tokens used today on the web are bearer tokens (e.g. HTTP cookies, OpenID Connect ID tokens, SAML assertions, OAuth tokens). Any party in possession of a bearer token is able to use it to gain access to the associated protected resources, which makes them a highly attractive target for attackers. Although there have been many efforts to provide better than bearer security, none have achieved widespread deployment success. Token Binding is new IETF protocol that enables strong cryptographic defenses against the use of stolen security tokens and, with a novel approach and the backing of some very significant industry players, has the potential to find the success that’s been elusive to previous attempts. This session will provide an overview of how Token Binding works and its application to higher level protocols like OpenID Connect and OAuth. Some bad jokes and gratuitous photography will be included to take the edge off the otherwise very nerdy content.
Mobile computing has grown at an unprecedented rate in recent years while innovations in identity and Single Sign-On (SSO) on mobile have lagged behind. We'll look at the state of mobile application SSO including applicable standards such as OAuth 2.0, OpenID Connect, etc., some best and worst practices in use today, and the availability of relatively new features in the major mobile operating systems that stand to improve the situation for developers and users alike. Bad jokes and gratuitous photographs will be liberally interspersed with actual content.
About the presenter:
As a Distinguished Engineer for Ping Identity, Brian Campbell aspires to one day know what a Distinguished Engineer actually does for a living. In the meantime, he's tried to make himself useful with little things like designing and building much of PingFederate, the product that put Ping Identity on the map. When not making himself useful, he contributes to various identity and security standards including a two-year stint as co-chair of the OASIS Security Services Technical Committee (SAML) and contributions to OAuth, JOSE and COSE in the IETF as well as OpenID Connect. He holds a B.A., magna cum laude, in Computer Science from Amherst College in Massachusetts. Despite spending four years in the state, he has to look up how to spell "Massachusetts" every time he writes it.
** note that a recording of this presentation is available at https://www.youtube.com/watch?v=UBNOJ_G7EZc **
Mobile Single Sign-On: are we there yet?
-- Brian Campbell, Ping Identity --
-- at the 2015 Cloud Identity Summit --
Mobile computing has grown at an unprecedented rate in recent years while innovations in identity and Single Sign-On on mobile have lagged behind. We'll look at the state of native mobile application SSO including applicable standards such as OAuth 2.0, OpenID Connect, and NAAPS, and try to better understand the bigger picture of what's happening and what might be done to improve things.
Mobile Single Sign-On: OAuth 2.0, OpenID Connect, NAAPS, why doesn’t anything work and can we do better? -- Brian Campbell, Ping Identity - - - Mobile computing has grown at an unprecedented rate in recent years while innovations in identity and Single Sign-On on mobile have lagged behind. We'll look at the state of native mobile application SSO including applicable standards such as OAuth 2.0, OpenID Connect, and NAAPS, and try to better understand the bigger picture of what's happening and what might be done to improve things.
-- from 2015 http://gluecon.com/
JSON Web Token (JWT) is emerging as the goto format for security tokens in next generation identity systems. This talk will provide a technical overview of JWT and it’s underpinnings, the JavaScript Object Signing and Encryption (JOSE) suite of specifications, and equip you with the knowledge and sills needed to talk about and use JWT and JOSE effectively. All the cool kids are doing it and JWT+JOSE recently won a Special European Identity Award for Best Innovation for Security in the API Economy at the 2014 European Identity & Cloud Conference.
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...Brian Campbell
Identity is ubiquitous. Regardless of the kind of applications you develop you will, at some point, almost certainly have to deal with identifying users of the app. Yet it's seldom a central part of the app’s value proposition and rarely a core competency for developers. Wouldn’t it be nice to outsource user authentication and free yourself from the liability and complexity of storing and managing passwords? OpenID Connect, just ratified earlier this year and backed by some big industry names, is emerging as the go to standard way to do exactly that. Connect allows you to easily and securely get an answer to the question: “What is the identity of the person currently using this browser or native app?” Unlike some of it’s predecessors, however, Connect has roots spanning the consumer, SaaS and enterprise space and is better suited to serve a diverse set of deployments. Come find out more about Connect in this talk from a seasoned veteran of the prestigious basement conference rooms at GlueCon.
A technical overview of JSON Web Token (JWT) and its JOSE underpinnings, which are poised to be the next generation identity token, as well as a look at using one open source implementation (jose4j).
Also some (bad) jokes.
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...Brian Campbell
A short technical introduction, presented at an OWASP Vancouver chapter meeting, to some aspects of JOSE (JWS, JWE, and JWK) as well as JSON Web Token (JWT).
Hope or Hype: A Look at the Next Generation of Identity StandardsBrian Campbell
OpenID Connect, OAuth, JOSE and JWT may be the new kids on the block, but many experts and visionaries have already anointed them to replace SAML. Is the wheel being needlessly reinvented or is genuine progress on the horizon?
Brian Campbell, Portfolio Architect, Ping Identity
Introduction to the Emerging JSON-Based Identity and Security ProtocolsBrian Campbell
A quick(ish) technical introduction, presented at Gluecon 2013, to some aspects of JOSE (JWS, JWE, JWK) and JSON Web Token (JWT), OAuth 2.0 and OpenID Connect.
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
Gluecon 2012 presentation on using OAuth 2.0 with mobile applications to utilize social logins. "Is that a token in your phone in your pocket or are you just glad to see me? OAuth 2.0 and Mobile Devices"
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityBrian Campbell
A key technical underpinning of the Cloud are Application Programming Interfaces (API) - consistent methods for applications to interface with services in the cloud. More and more it will be through APIs that cloud data moves. The security of consumer APIs was threatened by the so-called 'password anti-pattern' – a model in which a client would collect and replay the password for a user at an API in order to access information on behalf of that user. OAuth not only defeats the password anti-pattern, but does much more. OAuth 2.0 defines a consistent, flexible identity and policy architecture for web applications, web services, devices, and desktop clients attempting to communicate with Cloud APIs. We'll discuss what OAuth provides, where it came from, and where its going.
About Paul Madsen
Paul Madsen is a Senior Technical Architect within the Office of the CTO at Ping Identity. He has served in various design, chairing, editing, and education roles for a number of federation standards, including OASIS Security Assertion Markup Language (SAML), OASIS Service Provisioning Markup Language (SPML), and Liberty Identity Web Services Framework (ID-WSF). He participates in a number of the Kantara Initiative's activities, as well as various other cloud identity initiatives. He holds an M.Sc. in Applied Mathematics and a Ph.D. in Theoretical Physics from Carleton University and the University of Western
About Brian Campbell
As Principal Architect for Ping Identity, Brian Campbell aspires to one day know what a Principal Architect actually does for a living. In the meantime, he tries to make himself useful by ideating, designing and building software systems such as Ping’s flagship product PingFederate. When not making himself useful, he contributes to various identity and security standards including a two-year stint as co-chair of the OASIS Security Services Technical Committee and a current focus on OAuth 2.0 within the IETF. He holds a B.A., magna cum laude, in Computer Science from Amherst College in Massachusetts. Despite spending four years in the state, he has to look up how to spell "Massachusetts" every time he writes it.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfJay Das
With the advent of artificial intelligence or AI tools, project management processes are undergoing a transformative shift. By using tools like ChatGPT, and Bard organizations can empower their leaders and managers to plan, execute, and monitor projects more effectively.
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
6. #RSAC
Back Where It All Begins
6
Okay, passwords are ancient
But first known computer use was in ‘61
at MIT for the Compatible Time-Sharing System
— each user had a private set of files and allotment of
computing time
Even back then IAM was about the right people
having access to the right things at the right time
System defeated just one year later
request to print the password file offline
8. And I’m a little hazy on what happened in that time
9. #RSAC
Twenty-Some Years Later
The World Wide Web is Now a Thing
HTTP Basic Authentication
Per application credentials
Centralized LDAP
credentials sent & checked on every request
HTML form based login
Cookie based session established from login
Typically opaque value referencing server side memory
Around this time I’d write my first single sign-on
system…
10. (blindly trusting a user id value in a site-wide cookie, what could possibly go wrong?)
11. #RSAC
Luckily, competent people were also working on it
Web Access Management (WAM) Products/Solutions
Single sign-on, authorization policy, and authentication management
Web sever agent (but sometimes also proxies)
Domain-wide cookie (but secured unlike mine)
Centralized policy server
Typically deployed in
— Large consumer web sites
— Enterprise applications behind the firewall
Cross-domain solutions existed but proprietary & non-interoperable
25. <saml:Assertion ID="y2bvAdFrnRNvnm103yjiimgjhw7" IssueInstant="2016-12-05T21:38:44.771Z”
Version="2.0” xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>https://pongidentity.com</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#y2bvAdFrnRNvnm103yjiimgjhw7"><ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>zsB4Oo4ebepuGBJ3FC7z6qRei5d4DWjQlEqhJhEu/+4=</ds:DigestValue>
</ds:Reference></ds:SignedInfo><ds:SignatureValue>gZbkpGU[...omitted...]o2riMFGnTraY=</ds:SignatureValue></ds:Signature>
<saml:Subject>
<saml:NameID Format="rn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">bcampbell</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="https://workplace247.com/ACS" NotOnOrAfter="2016-12-05T21:48:44.771Z"/>
</saml:SubjectConfirmation></saml:Subject>
<saml:Conditions NotBefore="2016-12-05T21:33:44.771Z" NotOnOrAfter="2016-12-05T21:48:44.771Z">
<saml:AudienceRestriction><saml:Audience>urn:federation:workplace-24-7</saml:Audience></saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement SessionIndex="y2bvAdFrnRNvnm103yjiimgjhw7" AuthnInstant="2016-12-05T21:27:35.000Z">
<saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Attribute Name="fname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">Brian</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name="lname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">Campbell</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">bcampbell@pongidentity.com</saml:AttributeValue></saml:Attribute>
</saml:AttributeStatement></saml:Assertion>
SAML: XML standard for exchanging security & identity information
From
To (also a constraint)
Signatur
e
Who
Constraints
More Constraints
Authentication
info
More user info
26. #RSAC
OAuth Drivers: Password Sharing is Bad
Other sites asks YOU for your
<redacted> password so it can
access your <redacted> stuff.
27. #RSAC
OAuth Drivers: SOAP -> REST & JSON
but there were no
comparable authentication
& authorization standards
to WS-*
28. #RSAC
OAuth 2.0 In A Nutshell
Client
Resource
Server
Authorization
Server
29. #RSAC
OpenID Connect: SSO built on OAuth 2.0
“OpenID Connect is a simple
identity layer on top of the
OAuth 2.0 protocol.”
Simple is in the eye of the
beholder
But complexity burden shifted
to the identity provider
Adds a lot to OAuth
But the main thing is the JSON
Web Token (JWT) based ID
Token
Client
Resource
Server
Authorization
Server
30. #RSAC
jot or not?
The JWT
eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKIm
V4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZ
VMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.
The Header
{"kid":"5","alg":"ES256"}
The Payload
{"iss":"https://idp.example.com",
"exp":1357255788,
"aud":"https://sp.example.org",
"jti":"tmYvYVU2x8LvN72B5Q_EacH._5A",
"acr":"2",
"sub":"Brian"}
32. #RSAC
…it’s how you use it
Simpler = Better
Web safe encoding w/ no canonicalization
(Because canonicalization is a four letter word*)
Improved Interoperability & Security
Mostly been true
Eliminates entire classes of attacks
XSLT Transform DOS, Remote Code Execution, and Bypass
C14N Hash Truncation
Entity Expansion Attacks
XPath Transform DOS and Bypass
External Reference DOS
Signature Wrapping Attacks
Brad Hill, pictured here speaking in 2011, published some of these attacks
* especially when you spell it c14n
34. OAuth 2.0 used
for sign-on with
native mobile
applications
https://tools.ietf.org/html/draft-ietf-oauth-native-apps
35. #RSAC
OAuth 2.0 for Native Apps
1. Request
authorization +
PKCE
2. User
authentication &
approval
3. Callback to
custom scheme
URI
4. Exchange code for
tokens + PKCE
5. Access protected
API
Device
Native
App
System Browser
1
https:// Home Service
1
2
3
Authorization
Endpoint
Token
Endpoint
3
45
36. #RSAC
Enables Federated and Multi-factor Sign-on
Device
Native
App
System Browser
1
https:// Home Service
1
2
3
Authorization
Endpoint
Token
Endpoint
3
45
Enterprise or
Social Identity
Provider
Leveraging existing and future
investment in web based
authentication
38. Fast IDentity Online
Strong cryptographic 2nd
factor option for end user
security
U2F device: USB, NFC,
Bluetooth LE, on-board
machine/mobile
Registration of client
generated site-specific
public key
Authentication by signing a
challenge
U2F
39. What’s In Your Pocket?
Phone becoming a nearly ubiquitous “something you have”
41. Token Binding
• Enables a long-lived binding to
browser generated public-private key
pair used to sign TLS exported keying
material and sent as an HTTP header
• Bind to cookies, SSO tokens, OAuth
tokens
42. #RSAC
Are we done yet?
IAM: Seamlessly enabling the
right people to have access to
the right resources at the right
time
Federated single sign-on to SaaS &
organizational applications
Stronger user authentication with
less frequent direct user
interaction
Stronger session and SSO tokens
bound to keys on the device
Almost…
43. SESSION ID:SESSION ID:
#RSAC
Brian Campbell
Identity and Access Management:
Past/Present/Future, SAML, OAuth, FIDO, OIDC, other
acronyms, and emerging trends
SEM-M04
Distinguished Engineer
Ping Identity
@__b_c
Thanks!
You’ve been watching: