Implementing MITREid - CIS 2014 Presentation

•Download as PPTX, PDF•

5 likes•3,338 views

The story of MITREid, a corporate identity system implemented at MITRE built around OpenID 2.0 and, later, OpenID Connect.

Technology

The story of MITREid
Justin Richer
The MITRE Corporation
© 2014 The MITRE Corporation. All rights reserved.
Approved for Public Release: Distribution Unlimited (Case Number: 14-1639)

The plight of a software developer
• I build things that people use
• I want to know who’s there
• What can I do?

3. Use Enterprise SSO
Firewall
Intranet
Internet

Why OpenID?
• Open standard protocol
• Network-based federation
• User-driven trust model
• Simple to use and develop

Make it easy for developers:
Platform support
• Libraries:
– Java
– PHP
– Python
– Javascript
– Ruby
– Perl
– …
• Platforms & Plugins:
– Spring Security
– Elgg
– Wordpress
– Mediawiki
– Omniauth
– Drupal
– …

User Profiles: The mobile user
Firewall
Intranet
Internet
OpenID Server
2FA

The architecture
Firewall
User Profiles
Shared
Database
Internal OP External OP
Intranet
Internet
Two-Factor AuthnCorporate SSO

Let’s build it (again)!
• OAuth 2.0 and OpenID Connect server
• OpenID Connect client library
• Enterprise-friendly features and platform
• Flexible deployment
and...

Moving toward federation across
the extended enterprise

Better security: Separation
OpenID
Provider

Delegating services: OAuth
OpenID
Provider

Easier integration by developers
OpenID
Provider• Standard
• Agile
• Flexible
• Distributed
• Proprietary
• Fragile
• Rigid
• Centralized

Better administration:
An abstraction layer
OpenID
Provider

Scalable security decisions
Whitelist
Trusted partners, business contracts, customer
organizations, trust frameworks
Graylist
User-based trust decisions
Follow Trust on First Use model, keep logs
Blacklist
Very bad sites we don’t
want to deal with, ever
Organizations
decidethese
End-users
decidethese

Conclusions
• Use open standards
• Give your people digital identities and let
them decide where to use them
• Use federation where possible

With the proliferation of cloud applications, mobile devices, and the need to connect to external users, IT organizations are increasingly challenged with how to manage and gain transparency into user access to systems and applications. As your organization looks to deploy Identity in the cloud, it’s critical that this is backed by open-standards. In this webinar, Chuck Mortimore, Pat Patterson, and Ian Glazer will give you a broad overview of how OpenID Connect can help better connect you with your customers, partners, apps, and devices Key Takeaways Get introduced to OpenID Connect, learn how it builds on top of OAuth, and discover why it’s an important new standard for your organization Consume OpenID Connect from popular Identity providers with Social Sign-On Provide a single, branded Identity to your own users and applications using OpenID Connect Use OpenID Connect to easily build Identity-enabled mobile applications Plan for the next generation of connected devices Intended Audience This webinar is aimed at a technical audience of administrators, developers, architects and business analysts who are wishing to learn more about Identity and Standards

OpenID Connect 1.0 Explained

Eugene Siow

CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

CloudIDSummit

OpenID Connect and Single Sign-On for Beginners

Salesforce Developers

Websites and applications are implementing social single sign-on to allow users to login using trusted authentication providers such as Google, Facebook, and even Salesforce. Join us to learn how to configure the OpenID Connect authentication provider to allow users to authenticate at Google to access a Salesforce environment. We'll also look at how you can relieve yourself of the burden of password management by having your web app login users via Salesforce.

Full stack security

DPC Consulting Ltd

The Client is not always right! How to secure OAuth authentication from your...

Mike Schwartz

The OpenID Connect or OAuth frameworks can be used to achieve a range of security levels. Properly used, it mitigates many risks. However, OpenID Connect’s flexibility, combined with its shared ontogeny with OAuth 2.0, creates opportunities for error--developers may not use (or even know about ) certain features necessary to achieve the transaction integrity they desire. The good news is that client software and middleware services can do some of the heavy lifting. You can have the best of both worlds--maximizing security and developer joy. Whether you’re a developer or security architect, what should you look for in an application that acts as an OpenID Connect client?

OpenID Connect: An Overview

Pat Patterson

As products and companies move towards IoT model, users and machines alike need to interact with various APIs. Securing these APIs in a connected world can be a challenge faced by many. Fortunately, there are open standards addressing even the most complex of use cases - OAuth, OpenID and OpenID Connect happen to be widely adopted and have a growing support across many API and Identity Providers. In this session I'll talk about these standards, and walk through common use cases/flows from an API Provider as well as consumer's side. We will explore how these standards come together to not only secure the APIs, but also manage identity.

OpenId Connect Protocol

Michael Furman

Single Sign On with OAuth and OpenID

Gasperi Jerome

An Authentication and Authorization Architecture for a Microservices World

VMware Tanzu

SpringOne Platform 2016 Speaker: David Ferriera; Director, Cloud Technology, Forgerock Microservices architecture elevates the challenges for Authentication and Authorization management. When a single frontend request can result in many backend microservices calls, it is important to balance security and performance. ForgeRock provides a standards-based blueprint that provides a flexible solution for making these choices while protecting your Cloud Foundry services end to end.

CIS 2015 OpenID Connect and Mobile Applications - David Chase

CloudIDSummit

Troubleshooting Novell Access Manager 3.1

Novell

In this session Novell technical support engineers will cover best practices guidelines for functionality and performance to proactively avoid problems in Novell Access Manager. They will discuss architecture issues and cover the flow of operation of key Access Manager components. Finally, they will describe key troubleshooting tips and tools to enable you to proactively avoid common issues, and solve them more quickly should they occur. Speaker: Neil Cashell Technical Support Engineer

Stateless authentication with OAuth 2 and JWT - JavaZone 2015

Alvaro Sanchez-Mariscal

This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorisation. He will explore the existing impl More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro. Authentication is normally a stateful service. Most of the implementations rely on the HTTP session, thus introducing state as the session is an in-memory data structure in the application server. In the microservices era, most of the companies are developing such called RESTful services, where one of the principles is to create stateless systems. In such scenario, authentication should be stateless too. There is a standard specification to secure web application and API's, that is being adopted massively by the industry: OAuth 2. The specification doesn't explicitly cover how to make a stateless implementation. And most of the existing ones depend on some sort of external storage (such as a DB) to store the tokens generated for a later validation. Fortunately, there is another specification by the IETF called JSON Web Token, that can be combined with OAuth 2 to achieve a stateless authentication system. In the session, Alvaro will explain the core concepts of OAuth 2, as well as JWT and how can them be used together to achieve the last 2 letters of REST: State Transfer.

FIDO2 Specifications Overview

FIDO Alliance

Protecting web APIs with OAuth 2.0

Vladimir Dzhuvinov

Как да контролираме достъпа до web API и други защитени ресурси посредством OAuth 2.0, и как да идентифицираме потребители с OpenID Connect. Лекцията е предназначена за уеб архитекти и програмисти, както и за всички разработчици, които искат да научат повече за новите уеб протоколи за авторизация и автентикация.

Why Assertion-based Access Token is preferred to Handle-based one?

Hitachi, Ltd. OSS Solution Center.

OAuth 2.0 and OpenId Connect

Saran Doraiswamy

RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!

Mike Schwartz

Authorization and Authentication in Microservice Environments

LeanIX GmbH

Loggin in to a website seems easy. But what seems so simple, is only easy as long as the website is based on a monolith in the background. But what happens, if there are lots of microservices at work? How do the microservices know that the user is who he is and how can this be achieved efficiently? The use of JSON Web Tokens (JWT) can be a solution. Presentation from the 2017 microXchg Conference in Berlin.

Stateless authentication for microservices - Spring I/O 2015

Alvaro Sanchez-Mariscal

http://www.springio.net/stateless-authentication-for-microservices/ This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorization using Spring Security in Grails. More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro.

muCon 2016: Authentication in Microservice Systems By David Borsos

OpenCredo

Software security is hard. Software security in Microservice Systems is even harder. Microservice-style software architectures have steadily been gaining popularity in recent years. They offer many benefits over traditional monolithic software products, however they also introduce new challenges - one of these being security. In recent years David has worked on this problem in several independent projects, and this talk will draw on his learnings within the topic of authenticating end-users. David will describe, compare and evaluate several authentication options from the perspective of how secure they are and how well they comply with the qualities of a well-designed microservice system. You will leave the talk with suggested evaluation criteria and guidance for implementation based on their use cases.

Certification Authority - Sergio LiettiNúcleo de Computação Científica

Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications

Novell

Identity federation has become the standard method for delivering access to services across organizational boundaries. More recently, federation has become the preferred method for managing user access within Microsoft SharePoint environments. In this session, you will get an overview of the federation capabilities in Novell Access Manager. Specifically, the presenters will provide an introduction to identity federation, cover basic setup and configuration, and show you how to enable federated access to Microsoft SharePoint and Google applications. No previous knowledge of federation standards is required for this session.

Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013Justin Richer

Aus cert event_2010

Palo Alto Networks

What's hot

OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake

FIDO2 Specifications Overview

FIDO Alliance

LASCON 2017: SAML v. OpenID v. Oauth

Mike Schwartz

Securing your APIs with OAuth, OpenID, and OpenID Connect

Manish Pandit

OpenId Connect Protocol

Michael Furman

Single Sign On with OAuth and OpenID

Gasperi Jerome

An Authentication and Authorization Architecture for a Microservices World

VMware Tanzu

CIS 2015 OpenID Connect and Mobile Applications - David Chase

CloudIDSummit

Troubleshooting Novell Access Manager 3.1

Novell

Stateless authentication with OAuth 2 and JWT - JavaZone 2015

Alvaro Sanchez-Mariscal

FIDO2 Specifications Overview

FIDO Alliance

Protecting web APIs with OAuth 2.0

Vladimir Dzhuvinov

Why Assertion-based Access Token is preferred to Handle-based one?

Hitachi, Ltd. OSS Solution Center.

OAuth 2.0 and OpenId Connect

Saran Doraiswamy

RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!

Mike Schwartz

Authorization and Authentication in Microservice Environments

LeanIX GmbH

Stateless authentication for microservices - Spring I/O 2015

Alvaro Sanchez-Mariscal

muCon 2016: Authentication in Microservice Systems By David Borsos

OpenCredo

Certification Authority - Sergio LiettiNúcleo de Computação Científica

Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications

Novell

What's hot (20)

OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

FIDO2 Specifications Overview

LASCON 2017: SAML v. OpenID v. Oauth

Securing your APIs with OAuth, OpenID, and OpenID Connect

OpenId Connect Protocol

Single Sign On with OAuth and OpenID

An Authentication and Authorization Architecture for a Microservices World

CIS 2015 OpenID Connect and Mobile Applications - David Chase

Troubleshooting Novell Access Manager 3.1

Stateless authentication with OAuth 2 and JWT - JavaZone 2015

FIDO2 Specifications Overview

Protecting web APIs with OAuth 2.0

Why Assertion-based Access Token is preferred to Handle-based one?

OAuth 2.0 and OpenId Connect

RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!

Authorization and Authentication in Microservice Environments

Stateless authentication for microservices - Spring I/O 2015

muCon 2016: Authentication in Microservice Systems By David Borsos

Certification Authority - Sergio Lietti

Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications

Viewers also liked

Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013Justin Richer

Aus cert event_2010

Palo Alto Networks

Future makers

Giulia Christeen

Priority moments digitalGiulia Christeen

Jamaicamichaelanatal

здоров'я – найвища цінність життя людиниАнна Денисенко

Blackboard Mobile: Best Practices from the Field (Pre-Session Workshop)FSU-ITS

iPad Pilot Projects at Framingham State University: Three Use Cases

FSU-ITS

Framingham State University has embraced the use of iPads in the library and in the classroom. In collaboration with the Educational Technology Office, the curriculum library and reference department are supporting three pilot projects: e-textbooks and apps for two biology courses, a small scale iPad lending program for the education students, and the use of iPads and apps within reference. This presentation is geared toward academic libraries, but informative for school and public libraries as well. For more information please contact: Clair Waterbury at cwaterbury@framingham.edu; Kim Cochrane at kchocrane1@framingham.edu; Millie Gonzalez at vgonzalez@framingham.edu

ApuntesJezz Lopezito

Connected.

Matthew Winner

Be the HeroMatthew Winner

ззт ехнологии царинная зош№1г.ХарцызскАнна Денисенко

ош № 2 отчет презентация о недели обж,нвп и мсп

Анна Денисенко

Bb w ppt_content_conferencesession-ittakesa_village_finalFSU-ITS

في الفصلmohammadfadhliabdullah

Future makers

Giulia Christeen

Palo Alto Networks Application Usage and Risk Report - Key Findings for Korea

Palo Alto Networks

организация и методика выполнения проектов в физ реАнна Денисенко

ApuntesJezz Lopezito

Vida

alexamaryoe

Viewers also liked (20)

Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013

Aus cert event_2010

Future makers

Priority moments digital

Jamaica

здоров'я – найвища цінність життя людини

Blackboard Mobile: Best Practices from the Field (Pre-Session Workshop)

iPad Pilot Projects at Framingham State University: Three Use Cases

Apuntes

Connected.

Be the Hero

ззт ехнологии царинная зош№1г.Харцызск

ош № 2 отчет презентация о недели обж,нвп и мсп

Bb w ppt_content_conferencesession-ittakesa_village_final

في الفصل

Future makers

Palo Alto Networks Application Usage and Risk Report - Key Findings for Korea

организация и методика выполнения проектов в физ ре

Apuntes

Vida

Similar to Implementing MITREid - CIS 2014 Presentation

CIS14: Implementing MITREid

CloudIDSummit

Anonymous Individual Integration for IoT

Paul Fremantle

OpenID Connect "101" Introduction -- October 23, 2018

OpenIDFoundation

Single Sign On 101

Mike Schwartz

Introducing OpenAthens Cloud for content providers

OpenAthens

How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects

Maxim Salnikov

SMB Security Product Overview.pptx

kovec2684

Connecting The Real World With The Virtual World

Ping Identity

Solution day : Running infrastructure like a cloud speed and agile

PT Datacomm Diangraha

Windows Azure Security & Compliance

Nuno Godinho

Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker

Abhinav Biswas

With the advent of IOT, Every 'Thing' is getting Smart, starting from the range of smartwatches, smart refrigerators, smart bulbs to smart car, smart healthcare, smart agriculture, smart retail, smart city and what not, even smart planet. But why is every thing getting smart? People are trying to bridge the gap between Digital World & Physical World by means of ubiquitous connectivity to Internet, and when digital things become physical, digital threats also become physical threats. Security & Privacy issues are rising as never before. What if the microphone in your smart TV can be used to eavesdrop the private communications in your bed room? What if a smart driverless car deliberately crashes itself into an accident? What if you want to be Anonymous over Internet and don't want anybody to track you? This talk will focus on answering the above questions with a view on 'What are we currently doing to protect ourselves' and 'What we need to do'. What are the new security challenges that are coming up and how privacy & anonymity is taking the lead over security. The talk will also sensitive the audience about the paradigm shift that is happening in IOT DevOps, with help of Docker Containers and how they can be anonymised using TOR.

Cyber security event

Tryzens

Primendi Pilveseminar - Enterprise Mobility suite

Primend

Mobilize your workforce with secure identity services

Sumana Mehta

Active Directory-Based Authentication for Mobile Apps Centrify partner program provides mobile application developers with a free, easy-to-deploy solution for integrating their apps with Active Directory and delivering 'Zero Sign-On' to enterprise users Centrify Mobile Authentication Services (MAS) and Software Developer Kit (SDK) delivers the first cloud-based solution that enables Active Directory-based authentication for mobile applications. With a simple, high-level API, developers can easily add Centrify's unique "zero sign-on" authentication and authorization services to their multi-tier applications, from the mobile device seamlessly through to their existing back-end infrastructure. Centrify's Mobile Authentication Service adds a critical capability not available in existing Mobile Device Management offerings, yet it is compatible with any existing MDM solution, including Centrify's mobile security management solution, to enable a comprehensive mobile security solution. http://www.centrify.com/mobile/mobile-authentication-services.asp

Hitachi ID Identity and Access Management Suite

Hitachi ID Systems, Inc.

Hitachi ID Password Manager

Hitachi ID Systems, Inc.

gkkCloudtechnologyassociate(cta)day 1

Anne Starr

6 Ways to Get More From Your Azure

C/D/H Technology Consultants

6 Ways to Get More From Your Azure

Holly Plude

6 Ways to Get More From Your Azure

C/D/H Technology Consultants

Are you getting the most out of Azure? Learn 6 ways to get more from your Azure platform. Join one of our top Infrastructure and Cloud consultants, Mike Balatzis to learn how to get more from your Azure platform. Mike is an information technology consultant with 18 years’ experience in Microsoft enterprise solutions, including Windows server and desktop operating systems, Exchange, and System Center Configuration Manager. In addition, Mike is an MSCE for the Private Cloud as well as a VTSP for Azure. This webinar will cover the following important topics •Microsoft Azure Infrastructure and Networking •Securing Resources •Application Storage & Data Access Strategy •Applications in Azure •Websites in Microsoft Azure •Design a Management, Monitoring, and Business Continuity Strategy

Similar to Implementing MITREid - CIS 2014 Presentation (20)

CIS14: Implementing MITREid

Anonymous Individual Integration for IoT

OpenID Connect "101" Introduction -- October 23, 2018

Single Sign On 101

Introducing OpenAthens Cloud for content providers

How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects

SMB Security Product Overview.pptx

Connecting The Real World With The Virtual World

Solution day : Running infrastructure like a cloud speed and agile

Windows Azure Security & Compliance

Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker

Cyber security event

Primendi Pilveseminar - Enterprise Mobility suite

Mobilize your workforce with secure identity services

Hitachi ID Identity and Access Management Suite

Hitachi ID Password Manager

gkkCloudtechnologyassociate(cta)day 1

6 Ways to Get More From Your Azure

Recently uploaded

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

Neo4j

Dr. Sean Tan, Head of Data Science, Changi Airport Group Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.

Pushing the limits of ePRTC: 100ns holdover for 100 days

Adtran

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

Essentials of Automations: The Art of Triggers and Actions in FME

Safe Software

In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation. We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios. Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!

GridMate - End to end testing is a critical piece to ensure quality and avoid...

ThomasParaiso2

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

Neo4j

Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.

UiPath Test Automation using UiPath Test Suite series, part 5

DianaGray10

Communications Mining Series - Zero to Hero - Session 1

DianaGray10

This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered: • Communication Mining Overview • Why is it important? • How can it help today’s business and the benefits • Phases in Communication Mining • Demo on Platform overview • Q/A

Artificial Intelligence for XMLDevelopment

Octavian Nadolu

In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject. We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup. Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved. The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring. The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise. By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.

zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs

Alex Pruden

This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second). Paper: https://eprint.iacr.org/2023/1886

RESUME BUILDER APPLICATION Project for students

KAMESHS29

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024

Neo4j

Video Streaming: Then, Now, and in the Future

Alpen-Adria-Universität

In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.

National Security Agency - NSA mobile device best practices

Quotidiano Piemontese

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

By Design, not by Accident - Agile Venture Bolzano 2024

Pierluigi Pugliese

Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf

Malak Abu Hammad

Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers: * What is Vector Search? * Importance and benefits of vector search * Practical use cases across various industries * Step-by-step implementation guide * Live demos with code snippets * Enhancing LLM capabilities with vector search * Best practices and optimization strategies Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications. #MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology

20240605 QFM017 Machine Intelligence Reading List May 2024

Matthew Sinclair

DevOps and Testing slides at DASA Connect

Kari Kakkonen

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

Albert Hoitingh

Recently uploaded (20)

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

Pushing the limits of ePRTC: 100ns holdover for 100 days

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

Essentials of Automations: The Art of Triggers and Actions in FME

GridMate - End to end testing is a critical piece to ensure quality and avoid...

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

UiPath Test Automation using UiPath Test Suite series, part 5

Communications Mining Series - Zero to Hero - Session 1

Artificial Intelligence for XMLDevelopment

zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs

RESUME BUILDER APPLICATION Project for students

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024

Video Streaming: Then, Now, and in the Future

National Security Agency - NSA mobile device best practices

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

By Design, not by Accident - Agile Venture Bolzano 2024

Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf

20240605 QFM017 Machine Intelligence Reading List May 2024

DevOps and Testing slides at DASA Connect

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

Implementing MITREid - CIS 2014 Presentation

2. The plight of a software developer • I build things that people use • I want to know who’s there • What can I do?

3. 1. Make local accounts

4. 1. Make local accounts

5. 1. Make local accounts

6. 2. Use LDAP

7. 2. Use LDAP

8. 3. Use Enterprise SSO

9. 3. Use Enterprise SSO

10. 3. Use Enterprise SSO Firewall Intranet Internet

11. What to do?

12. Give people a digital identity

13. Let’s build something • OpenID 2.0 Server • Running on corporate IT hardware in corporate IT environment • Backed by corporate SSO and user profile information • “We do SSO so you don’t have to”

14. Why OpenID? • Open standard protocol • Network-based federation • User-driven trust model • Simple to use and develop

15. Make it easy for developers: Platform support • Libraries: – Java – PHP – Python – Javascript – Ruby – Perl – … • Platforms & Plugins: – Spring Security – Elgg – Wordpress – Mediawiki – Omniauth – Drupal – …

16. Usage Profile: The prototype Firewall Intranet Internet OpenID Server SSO

17. Usage Profile: The external service Firewall Intranet Internet OpenID Server SSO

18. User Profiles: The mobile user Firewall Intranet Internet OpenID Server 2FA

19. The architecture Firewall User Profiles Shared Database Internal OP External OP Intranet Internet Two-Factor AuthnCorporate SSO

20. Runtime security decisions

21. Adoption by the extended enterprise

22. The Long Tail 1 10 100 1000 10000

23. We didn’t even plan this

24. Multiple types of user

25. Moving on from OpenID 2.0

26. Let’s build it (again)! • OAuth 2.0 and OpenID Connect server • OpenID Connect client library • Enterprise-friendly features and platform • Flexible deployment and...

27. Open Source

28.

29. We’re running it ourselves

30. Building the specifications

31. Moving toward federation across the extended enterprise

32. Better security: Separation OpenID Provider

33. Delegating services: OAuth OpenID Provider

34. Better security: Revocation

35. Easier integration by developers OpenID Provider• Standard • Agile • Flexible • Distributed • Proprietary • Fragile • Rigid • Centralized

36. Better administration: An abstraction layer OpenID Provider

37. Scalable security decisions Whitelist Trusted partners, business contracts, customer organizations, trust frameworks Graylist User-based trust decisions Follow Trust on First Use model, keep logs Blacklist Very bad sites we don’t want to deal with, ever Organizations decidethese End-users decidethese

38. Conclusions • Use open standards • Give your people digital identities and let them decide where to use them • Use federation where possible

39. Questions? jricher@mitre.org

Editor's Notes

It’s 2009. I’m not part of corporate IT, but I build interesting stuff that people want to use.
Make everybody sign up for accounts
But now I have to do key management And I’ll probably get it wrong
But mine isn’t the only application that people use Bad UX Password management Extra credentials floating around And I probably got something wrong Besides, the user already has an account, let’s use that…
Use same password across many sites, all backed by the same user store
Benevolent MITM: user sends me their credentials directly, I replay those credentials against another service to make sure they’re good. Site could easily replay user credentials somewhere else, and users still need to enter UN/PW I never want to see your passwords! Plus, it’s not an HTTP protocol
Why not use traditional enterprise SSO? Users get a cookie that represents them, it’s easy to integrate, it’s how we’ve always done it…
HAHA: No. SSO domains are closely guarded and protected, centrally controlled I’m not an official IT app developer, I don’t have permission (and often can’t get permission) Many implementations suffer from the same MITM problems via domain-wide cookies (this has been used as a “feature” to proxy content for users)
Additionally, the traditional SSO approach can’t extend to sites outside the firewall.
“Welcome to your first day, now go get a gmail account so we can get started.” We give employees a phone, we give them an email address, why not an identity?
OpenID 2.0 server backed by corporate SSO “We do SSO so you don’t have to” Running on corporate hardware in corporate environment Funded by a (tiny) corporate research initiative
Automatically cross-platform
Libraries available for OpenID 2.0 in a wide array of languages and platforms. One discussion with identity vendor: “We support *both* platforms!” … ?
User is inside, the site they’re accessing is also inside. Typical development prototype system, driving much of my original use case.
User is inside, site is on the outside. This bridges corporate SSO credentials to an outside site, like Stack Overflow. MITRE now has a nearly-SSO user experience for a site that we have no contract or other special relationship with. Think about the implications of that.
User outside, site outside. We want more factors (especially with personal devices) but want to allow access to any external sites. We do *not* allow people to tunnel into the firewall.
We have deployed both OpenID 2.0 and OpenID Connect using this architecture Shared DNS between servers (both look like “id.mitre.org”)
Screenshot of MITREid OpenID 2.0 server Security decisions for users If you don’t know the answer to a trust question, ask the end user. Remember the decision. Log the event. TOFU: Trust On First Use.
MITRE’s Handshake system (at the time another research prototype, now a well-used production service) is hosted outside of MITRE’s firewall to allow external user access. Handshake needed a mechanism that allowed MITRE people to log in using SSO credentials. They used the OpenID prototype to great success. Handshake is whitelisted by the OpenID server, meaning most users have an SSO-experience and don’t realize they’re using OpenID at all.
Each bar is one site that was used, at least once, at the OpenID 2.0 server Logarithmic scale, number of users per site. Traditional IT likes to take care of the top couple sites (the “80%” rule) But what about all the sites with 5 users? 50 users? Most of the top ten aren’t whitelisted – some of the top sites aren’t even run by MITRE! There are 416 total sites There are 7896 total users There are 12611 total site approvals.
Somebody had set up a Gitorious instance inside the firewall. Gitorious already had built-in OpenID 2.0 support. I typed in my identifier and it just worked.
id.mitre.org: current MITRE users partnerid.mitre.org: extneral-to-MITRE username/password accounts cacproxy.mitre.org: DoD CAC holders We can separate classes of users foremost based on their IdP of origin In the future we hope to have other IdPs not run by MITRE
We tried to make our OpenID 2.0 system as compatible and capable as possible (PAPE, SREG, AX, directed identities), but the world was starting to look into future capabilities of OAuth2 and OpenID Connect
MITREid Connect MITREid was built on a shoestring budget with duct tape and bailing wire, MITREid Connect was engineered much more deliberately and released as open source (before any code was developed
Apache 2.0 license Transitioned to MIT KIT in fall 2013 (co-owned by MITRE) MITRE continues to contribute through the OSS process
Server and client in Java / Spring / Spring Security Related projects: JWK generator, JS account chooser, example custom server, example custom client All major development, bugs, documentation done on GitHub (small adaptor layers for
Track and help build the specifications in IETF and OIDF Bring our use cases to the table and participate in the discussions, make sure the general solution is robust and powerful for all
No need for domain-wide cookies to get SSO-like behavior (like “classic” enterprise SSO uses) Primary and global-secondary credentials aren’t leaked through sites, pairwise authentication only
(incidentally, that back-end connection is where OAuth comes in, and we’re also using that extensively)
We can revoke access to specific sites autonomously at the IdP Different sites get different parts of my identity
Don’t need to ask a sysadmin’s permission (!!) Support across a wide variety of platforms and use cases
Avoid mass upgrades to all the sites that are connected to your infrastructure (as long as the protocol doesn’t change) When we switched from CA SiteMinder to Oracle Access Manager, the hundreds of sites (MITRE and not) that were using the OpenID system never even knew the change happened.
End users know what they’re trying to do – ask them to make the decisions (in the right circumstances)

Implementing MITREid - CIS 2014 Presentation

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Implementing MITREid - CIS 2014 Presentation

Similar to Implementing MITREid - CIS 2014 Presentation (20)

Recently uploaded

Recently uploaded (20)

Implementing MITREid - CIS 2014 Presentation

Editor's Notes