Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Implementing MITREid - CIS 2014 Presentation

2,792 views

Published on

The story of MITREid, a corporate identity system implemented at MITRE built around OpenID 2.0 and, later, OpenID Connect.

Published in: Technology
  • Be the first to comment

Implementing MITREid - CIS 2014 Presentation

  1. 1. The story of MITREid Justin Richer The MITRE Corporation © 2014 The MITRE Corporation. All rights reserved. Approved for Public Release: Distribution Unlimited (Case Number: 14-1639)
  2. 2. The plight of a software developer • I build things that people use • I want to know who’s there • What can I do?
  3. 3. 1. Make local accounts
  4. 4. 1. Make local accounts
  5. 5. 1. Make local accounts
  6. 6. 2. Use LDAP
  7. 7. 2. Use LDAP
  8. 8. 3. Use Enterprise SSO
  9. 9. 3. Use Enterprise SSO
  10. 10. 3. Use Enterprise SSO Firewall Intranet Internet
  11. 11. What to do?
  12. 12. Give people a digital identity
  13. 13. Let’s build something • OpenID 2.0 Server • Running on corporate IT hardware in corporate IT environment • Backed by corporate SSO and user profile information • “We do SSO so you don’t have to”
  14. 14. Why OpenID? • Open standard protocol • Network-based federation • User-driven trust model • Simple to use and develop
  15. 15. Make it easy for developers: Platform support • Libraries: – Java – PHP – Python – Javascript – Ruby – Perl – … • Platforms & Plugins: – Spring Security – Elgg – Wordpress – Mediawiki – Omniauth – Drupal – …
  16. 16. Usage Profile: The prototype Firewall Intranet Internet OpenID Server SSO
  17. 17. Usage Profile: The external service Firewall Intranet Internet OpenID Server SSO
  18. 18. User Profiles: The mobile user Firewall Intranet Internet OpenID Server 2FA
  19. 19. The architecture Firewall User Profiles Shared Database Internal OP External OP Intranet Internet Two-Factor AuthnCorporate SSO
  20. 20. Runtime security decisions
  21. 21. Adoption by the extended enterprise
  22. 22. The Long Tail 1 10 100 1000 10000
  23. 23. We didn’t even plan this
  24. 24. Multiple types of user
  25. 25. Moving on from OpenID 2.0
  26. 26. Let’s build it (again)! • OAuth 2.0 and OpenID Connect server • OpenID Connect client library • Enterprise-friendly features and platform • Flexible deployment and...
  27. 27. Open Source
  28. 28. We’re running it ourselves
  29. 29. Building the specifications
  30. 30. Moving toward federation across the extended enterprise
  31. 31. Better security: Separation OpenID Provider
  32. 32. Delegating services: OAuth OpenID Provider
  33. 33. Better security: Revocation
  34. 34. Easier integration by developers OpenID Provider• Standard • Agile • Flexible • Distributed • Proprietary • Fragile • Rigid • Centralized
  35. 35. Better administration: An abstraction layer OpenID Provider
  36. 36. Scalable security decisions Whitelist Trusted partners, business contracts, customer organizations, trust frameworks Graylist User-based trust decisions Follow Trust on First Use model, keep logs Blacklist Very bad sites we don’t want to deal with, ever Organizations decidethese End-users decidethese
  37. 37. Conclusions • Use open standards • Give your people digital identities and let them decide where to use them • Use federation where possible
  38. 38. Questions? jricher@mitre.org

×