OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update

•

0 likes•1,354 views

Roland Hedberg with Catalogix and the OpenID Foudation provided an update on OpenID Connect Federation at the OIDF Workshop at Verizon Media on Monday, September 30, 2019 in Sunnyvale, CA.

Internet

OIDC Federation
Roland Hedberg, catalogix.se

Goal
Extend OIDC to be able to support multi lateral federations

Trusted information
• Correctness

• Tamper resistance

• Policy conformant

• Based on a trusted 3rd party
(trust anchor)

• Expressed in a trust chain

Information model
• Everyone, or someone representing an entity, publish self-
signed entity statements with metadata statement

• Intermediates and trust anchors publish metadata policies
about subordinates.

$Entity Statement { "iss": "https://feide.no", "sub": "https://ntnu.no", "iat": 1516239022, "exp": 1516298022, "metadata_policy": { "openid_provider": { "organization_name": {"value": "NTNU"}, "id_token_signing_alg_values_supported": {"subset_of": ["RS256", "RS384", "RS512"]}, } }, "jwks": { "keys": [ { "e": “AQAB", "kid": “key1", "kty": "RSA", "n": “pnXBOusEANuug6ewezb9J_...", "use": "sig" } ] }, "authority_hints": ["https://edugain.org/federation"] }$

$Federation entity metadata "metadata": { "federation_entity": { "federation_api_endpoint": "https://example.com/federation_api_endpoint", "name": "The example cooperation", "max_path_length": 2, "naming_constraints": { "permitted": ["https://.example.com"], "excluded": ["https://east.example.com"] } } }$

A simple example
If we have an RP that belongs to
organization A that is a member of
federation F, the trust chain for such
a setup will contain the following
entity statements

1. A self-signed entity statement about the
RP published by the RP

2. An entity statement about the RP
published by Organization A

3. An entity statement about Organization
A published by Federation F
RP OP
1
2
3

FEIDE
NTNU
ENTITY
FEIDE
NTNU
ENTITY
ENTITY
Verifying integrity

Multi tenant service support
in .well-known
entity_id

• https://multi-tenant-service.example.com/my-tenant-identiﬁer

well-known URL

• https://multi-tenant-service.example.com/.well-known/openid-
federation/my-tenant-identiﬁer (RFC8414 like)

• https://multi-tenant-service.example.com/my-tenant-
identiﬁer/.well-known/openid-federation (violates RFC8615)

Trust anchor key rotation
Key rotation of the trust anchor is supported by the use of
the jwks claim in self-signed entity statements.

Policy language
• subset_of

• one_of

• superset_of

• add

• value

• default

• essential

Applying Metadata policies
Federation Operator
Intermediate 1
Intermediate 2
Client
metadata
Metadata

policies

Client registration methods
• Automatic

• The client perfoms no registration, instead it sends an authorization request
with client_id == entity_id and client authentication method private_key_jwt.
• The OP needs to fetch the RP’s self-signed entity statement.
• Explicit

• The client does a client registration. The OP responds with a entity
statement about the RP with a metadata policy.

• The RP provides the OP with the self-signed entity statement in the body of
the client registration request

Status
• Implementations

• Python

• Java being worked on

• Hackathon at TechEX19 in december

• https://github.com/rohe/oidcfederation (bleeding edge)

Please review !

Identity is ubiquitous. Regardless of the kind of applications you develop you will, at some point, almost certainly have to deal with identifying users of the app. Yet it's seldom a central part of the app’s value proposition and rarely a core competency for developers. Wouldn’t it be nice to outsource user authentication and free yourself from the liability and complexity of storing and managing passwords? OpenID Connect, just ratified earlier this year and backed by some big industry names, is emerging as the go to standard way to do exactly that. Connect allows you to easily and securely get an answer to the question: “What is the identity of the person currently using this browser or native app?” Unlike some of it’s predecessors, however, Connect has roots spanning the consumer, SaaS and enterprise space and is better suited to serve a diverse set of deployments. Come find out more about Connect in this talk from a seasoned veteran of the prestigious basement conference rooms at GlueCon.

OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...

MikeLeszcz

apidays LIVE Australia 2021 - Levelling up database security by thinking in A...

apidays

OpenAM Survival Tips

ForgeRock

OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...

OpenIDFoundation

Enterprise Security Requirements

WSO2

To view recording of this webinar please use the below URL: http://wso2.com/library/webinars/2016/06/enterprise-security-requirements/ Meeting enterprise security requirements has now become challenging due to development of orthogonal aspects. Systems are diverse because a single vendor can’t cater to all these needs. Some enterprise also introduce public SaaS in addition to their internal on-premise system. APIs are used to make data in these systems readily available in order to integrate with other systems and automate processes. Identity and access management (IAM) systems are expected to provide centralized authentication and authorization despite the increase in complexity of data, systems and identities. This webinar will discuss how to Enable SSO for heterogeneous systems Handle different types of enterprise identities Protect your data and APIs Implement centralized authorization and authentication management

OIDF Workshop 4/29/2019 -- OpenID Research & Education Working Group Update

OpenIDFoundation

Identity Management with the ForgeRock Identity Platform - So What’s New?

ForgeRock

It’s no secret that Identity Management is a key component to any modern identity solution. Organizations need to easily provision, de-provision and perform synchronization & reconciliation tasks across not just users, but devices and things as well. The future of Identity Management will require the unique flexibility of a service based approach with custom configurable administrative and self-service capabilities that can handle any kind of Identity. Find out more about how all forms of identity (business, consumer and device) can by centralized, normalized, coordinated and managed by policy - and automated to ensure a consistent experience that complies with regulations and policies. Discover how ForgeRock can help you deliver Identity Management the right way to your customers, partners and employees. Learn more about ForgeRock Access Management: https://www.forgerock.com/platform/access-management/ Learn more about ForgeRock Identity Management: https://www.forgerock.com/platform/identity-management/

OpenAM - An Introduction

ForgeRock

OpenID Connect: The new standard for connecting to your Customers, Partners, ...

Salesforce Developers

With the proliferation of cloud applications, mobile devices, and the need to connect to external users, IT organizations are increasingly challenged with how to manage and gain transparency into user access to systems and applications. As your organization looks to deploy Identity in the cloud, it’s critical that this is backed by open-standards. In this webinar, Chuck Mortimore, Pat Patterson, and Ian Glazer will give you a broad overview of how OpenID Connect can help better connect you with your customers, partners, apps, and devices Key Takeaways Get introduced to OpenID Connect, learn how it builds on top of OAuth, and discover why it’s an important new standard for your organization Consume OpenID Connect from popular Identity providers with Social Sign-On Provide a single, branded Identity to your own users and applications using OpenID Connect Use OpenID Connect to easily build Identity-enabled mobile applications Plan for the next generation of connected devices Intended Audience This webinar is aimed at a technical audience of administrators, developers, architects and business analysts who are wishing to learn more about Identity and Standards

OpenID Connect vs. OpenID 1 & 2

Mike Schwartz

OpenID Connect is the newest iteration of the OpenID Internet authentication standard that’s been developed in coordination by Google, Facebook, Microsoft and others at the OpenID Foundation. OpenID Connect performs many of the same tasks as OpenID 1 & 2, but does so in a way that is API-friendly, and usable by native and mobile applications. OpenID 1 and 2 lend part of their name, but Connect is a complete re-write that is fundamentally better architected for the modern web in a few important ways.

Implementing security requirements for banking API system using Open Source ...

Yuichi Nakamura

Webinar: ForgeRock Identity Platform Preview (Dec 2015)

ForgeRock

The wait is over! ForgeRock is releasing shiny new versions of all solution areas of the ForgeRock Identity Platform. To give you a preview on what’s coming, join this webinar to hear directly from the Product Managers what’s new in: Access Management Identity Management Directory Services Identity Gateway Shared Services Learn more about ForgeRock Access Management: https://www.forgerock.com/platform/access-management/ Learn more about ForgeRock Identity Management: https://www.forgerock.com/platform/identity-management/

How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...

Torsten Lodderstedt

CIS13: Identity at Scale

CloudIDSummit

Hans Zandbelt, Technical Architect, Ping Identity As the numbers and types of applications, devices and users grow, enterprise businesses face scalability challenges in dealing with Identity and Access Management (IAM) and federated Single Sign On (SSO) across web, mobile, enterprise and cloud environments. This session analyzes major issues that impact IAM and SSO scalability and explores possible approaches to address these issues. Topics include: · Trends and drivers for next generation identity and access management · A bird's eye view of new standards for IAM across web and mobile · Approaches for managing federated SSO on an Internet scale

What's hot

OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...

OpenIDFoundation

OpenID Foundation RISC WG Update - 2017-10-16

MikeLeszcz

OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update

OpenIDFoundation

OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Certification Program U...

OpenIDFoundation

OpenID Foundation Research & Education Working Group Update - October 22, 2018

OpenIDFoundation

OpenID Foundation Connect Working Group Update - October 22, 2018

OpenIDFoundation

OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Working Group U...

OpenIDFoundation

OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...

Brian Campbell

OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...

MikeLeszcz

apidays LIVE Australia 2021 - Levelling up database security by thinking in A...

apidays

OpenAM Survival Tips

ForgeRock

OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...

OpenIDFoundation

Enterprise Security Requirements

WSO2

OIDF Workshop 4/29/2019 -- OpenID Research & Education Working Group Update

OpenIDFoundation

Identity Management with the ForgeRock Identity Platform - So What’s New?

ForgeRock

OpenAM - An Introduction

ForgeRock

OpenID Connect: The new standard for connecting to your Customers, Partners, ...

Salesforce Developers

OpenID Connect vs. OpenID 1 & 2

Mike Schwartz

Implementing security requirements for banking API system using Open Source ...

Yuichi Nakamura

Webinar: ForgeRock Identity Platform Preview (Dec 2015)

ForgeRock

What's hot (20)