SlideShare a Scribd company logo
1 of 39
The story of MITREid
Justin Richer
The MITRE Corporation
© 2014 The MITRE Corporation. All rights reserved.
Approved for Public Release: Distribution Unlimited (Case Number: 14-1639)
The plight of a software developer
• I build things that people use
• I want to know who’s there
• What can I do?
1. Make local accounts
1. Make local accounts
1. Make local accounts
2. Use LDAP
2. Use LDAP
3. Use Enterprise SSO
3. Use Enterprise SSO
3. Use Enterprise SSO
Firewall
Intranet
Internet
What to do?
Give people a digital identity
Let’s build something
• OpenID 2.0 Server
• Running on corporate IT hardware in
corporate IT environment
• Backed by corporate SSO and user profile
information
• “We do SSO so you don’t have to”
Why OpenID?
• Open standard protocol
• Network-based federation
• User-driven trust model
• Simple to use and develop
Make it easy for developers:
Platform support
• Libraries:
– Java
– PHP
– Python
– Javascript
– Ruby
– Perl
– …
• Platforms & Plugins:
– Spring Security
– Elgg
– Wordpress
– Mediawiki
– Omniauth
– Drupal
– …
Usage Profile: The prototype
Firewall
Intranet
Internet
OpenID Server
SSO
Usage Profile: The external service
Firewall
Intranet
Internet
OpenID Server
SSO
User Profiles: The mobile user
Firewall
Intranet
Internet
OpenID Server
2FA
The architecture
Firewall
User Profiles
Shared
Database
Internal OP External OP
Intranet
Internet
Two-Factor AuthnCorporate SSO
Runtime security decisions
Adoption by the extended enterprise
The Long Tail
1
10
100
1000
10000
We didn’t even plan this
Multiple types of user
Moving on from OpenID 2.0
Let’s build it (again)!
• OAuth 2.0 and OpenID Connect server
• OpenID Connect client library
• Enterprise-friendly features and platform
• Flexible deployment
and...
Open Source
We’re running it ourselves
Building the specifications
Moving toward federation across
the extended enterprise
Better security: Separation
OpenID
Provider
Delegating services: OAuth
OpenID
Provider
Better security: Revocation
Easier integration by developers
OpenID
Provider• Standard
• Agile
• Flexible
• Distributed
• Proprietary
• Fragile
• Rigid
• Centralized
Better administration:
An abstraction layer
OpenID
Provider
Scalable security decisions
Whitelist
Trusted partners, business contracts, customer
organizations, trust frameworks
Graylist
User-based trust decisions
Follow Trust on First Use model, keep logs
Blacklist
Very bad sites we don’t
want to deal with, ever
Organizations
decidethese
End-users
decidethese
Conclusions
• Use open standards
• Give your people digital identities and let
them decide where to use them
• Use federation where possible
Questions?
jricher@mitre.org

More Related Content

What's hot

OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthMike Schwartz
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
 
Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1Novell
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!Mike Schwartz
 
Authorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsLeanIX GmbH
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices  - Spring I/O 2015Stateless authentication for microservices  - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 
muCon 2016: Authentication in Microservice Systems By David Borsos
muCon 2016: Authentication in Microservice Systems By David BorsosmuCon 2016: Authentication in Microservice Systems By David Borsos
muCon 2016: Authentication in Microservice Systems By David BorsosOpenCredo
 
Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications
Using Federation to Simplify Access to SharePoint, SaaS and Partner ApplicationsUsing Federation to Simplify Access to SharePoint, SaaS and Partner Applications
Using Federation to Simplify Access to SharePoint, SaaS and Partner ApplicationsNovell
 

What's hot (20)

OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. Oauth
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David Chase
 
Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
 
Authorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice Environments
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices  - Spring I/O 2015Stateless authentication for microservices  - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
 
muCon 2016: Authentication in Microservice Systems By David Borsos
muCon 2016: Authentication in Microservice Systems By David BorsosmuCon 2016: Authentication in Microservice Systems By David Borsos
muCon 2016: Authentication in Microservice Systems By David Borsos
 
Certification Authority - Sergio Lietti
Certification Authority - Sergio LiettiCertification Authority - Sergio Lietti
Certification Authority - Sergio Lietti
 
Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications
Using Federation to Simplify Access to SharePoint, SaaS and Partner ApplicationsUsing Federation to Simplify Access to SharePoint, SaaS and Partner Applications
Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications
 

Viewers also liked

Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013Justin Richer
 
здоров'я – найвища цінність життя людини
здоров'я – найвища цінність життя людиниздоров'я – найвища цінність життя людини
здоров'я – найвища цінність життя людиниАнна Денисенко
 
Blackboard Mobile: Best Practices from the Field (Pre-Session Workshop)
Blackboard Mobile: Best Practices from the Field (Pre-Session Workshop)Blackboard Mobile: Best Practices from the Field (Pre-Session Workshop)
Blackboard Mobile: Best Practices from the Field (Pre-Session Workshop)FSU-ITS
 
iPad Pilot Projects at Framingham State University: Three Use Cases
iPad Pilot Projects at Framingham State University:  Three Use Cases iPad Pilot Projects at Framingham State University:  Three Use Cases
iPad Pilot Projects at Framingham State University: Three Use Cases FSU-ITS
 
ззт ехнологии царинная зош№1г.Харцызск
ззт ехнологии  царинная зош№1г.Харцызскззт ехнологии  царинная зош№1г.Харцызск
ззт ехнологии царинная зош№1г.ХарцызскАнна Денисенко
 
ош № 2 отчет презентация о недели обж,нвп и мсп
ош № 2 отчет презентация о недели обж,нвп и мспош № 2 отчет презентация о недели обж,нвп и мсп
ош № 2 отчет презентация о недели обж,нвп и мспАнна Денисенко
 
Bb w ppt_content_conferencesession-ittakesa_village_final
Bb w ppt_content_conferencesession-ittakesa_village_finalBb w ppt_content_conferencesession-ittakesa_village_final
Bb w ppt_content_conferencesession-ittakesa_village_finalFSU-ITS
 
Palo Alto Networks Application Usage and Risk Report - Key Findings for Korea
Palo Alto Networks Application Usage and Risk Report - Key Findings for KoreaPalo Alto Networks Application Usage and Risk Report - Key Findings for Korea
Palo Alto Networks Application Usage and Risk Report - Key Findings for KoreaPalo Alto Networks
 
организация и методика выполнения проектов в физ ре
организация и методика выполнения  проектов в  физ реорганизация и методика выполнения  проектов в  физ ре
организация и методика выполнения проектов в физ реАнна Денисенко
 

Viewers also liked (20)

Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
 
Aus cert event_2010
Aus cert event_2010Aus cert event_2010
Aus cert event_2010
 
Future makers
Future makersFuture makers
Future makers
 
Priority moments digital
Priority moments digitalPriority moments digital
Priority moments digital
 
Jamaica
JamaicaJamaica
Jamaica
 
здоров'я – найвища цінність життя людини
здоров'я – найвища цінність життя людиниздоров'я – найвища цінність життя людини
здоров'я – найвища цінність життя людини
 
Blackboard Mobile: Best Practices from the Field (Pre-Session Workshop)
Blackboard Mobile: Best Practices from the Field (Pre-Session Workshop)Blackboard Mobile: Best Practices from the Field (Pre-Session Workshop)
Blackboard Mobile: Best Practices from the Field (Pre-Session Workshop)
 
iPad Pilot Projects at Framingham State University: Three Use Cases
iPad Pilot Projects at Framingham State University:  Three Use Cases iPad Pilot Projects at Framingham State University:  Three Use Cases
iPad Pilot Projects at Framingham State University: Three Use Cases
 
Apuntes
ApuntesApuntes
Apuntes
 
Connected.
Connected.Connected.
Connected.
 
Be the Hero
Be the HeroBe the Hero
Be the Hero
 
ззт ехнологии царинная зош№1г.Харцызск
ззт ехнологии  царинная зош№1г.Харцызскззт ехнологии  царинная зош№1г.Харцызск
ззт ехнологии царинная зош№1г.Харцызск
 
ош № 2 отчет презентация о недели обж,нвп и мсп
ош № 2 отчет презентация о недели обж,нвп и мспош № 2 отчет презентация о недели обж,нвп и мсп
ош № 2 отчет презентация о недели обж,нвп и мсп
 
Bb w ppt_content_conferencesession-ittakesa_village_final
Bb w ppt_content_conferencesession-ittakesa_village_finalBb w ppt_content_conferencesession-ittakesa_village_final
Bb w ppt_content_conferencesession-ittakesa_village_final
 
في الفصل
في الفصلفي الفصل
في الفصل
 
Future makers
Future makersFuture makers
Future makers
 
Palo Alto Networks Application Usage and Risk Report - Key Findings for Korea
Palo Alto Networks Application Usage and Risk Report - Key Findings for KoreaPalo Alto Networks Application Usage and Risk Report - Key Findings for Korea
Palo Alto Networks Application Usage and Risk Report - Key Findings for Korea
 
организация и методика выполнения проектов в физ ре
организация и методика выполнения  проектов в  физ реорганизация и методика выполнения  проектов в  физ ре
организация и методика выполнения проектов в физ ре
 
Apuntes
ApuntesApuntes
Apuntes
 
Vida
VidaVida
Vida
 

Similar to Implementing MITREid - CIS 2014 Presentation

CIS14: Implementing MITREid
CIS14: Implementing MITREidCIS14: Implementing MITREid
CIS14: Implementing MITREidCloudIDSummit
 
Anonymous Individual Integration for IoT
Anonymous Individual Integration for IoTAnonymous Individual Integration for IoT
Anonymous Individual Integration for IoTPaul Fremantle
 
OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenIDFoundation
 
Introducing OpenAthens Cloud for content providers
Introducing OpenAthens Cloud for content providersIntroducing OpenAthens Cloud for content providers
Introducing OpenAthens Cloud for content providersOpenAthens
 
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsHow to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsMaxim Salnikov
 
SMB Security Product Overview.pptx
SMB Security Product Overview.pptxSMB Security Product Overview.pptx
SMB Security Product Overview.pptxkovec2684
 
Connecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldConnecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldPing Identity
 
Solution day : Running infrastructure like a cloud speed and agile
Solution day : Running infrastructure like a cloud speed and agileSolution day : Running infrastructure like a cloud speed and agile
Solution day : Running infrastructure like a cloud speed and agilePT Datacomm Diangraha
 
Windows Azure Security & Compliance
Windows Azure Security & ComplianceWindows Azure Security & Compliance
Windows Azure Security & ComplianceNuno Godinho
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 
Cyber security event
Cyber security eventCyber security event
Cyber security eventTryzens
 
Primendi Pilveseminar - Enterprise Mobility suite
Primendi Pilveseminar - Enterprise Mobility suitePrimendi Pilveseminar - Enterprise Mobility suite
Primendi Pilveseminar - Enterprise Mobility suitePrimend
 
Mobilize your workforce with secure identity services
Mobilize your workforce with secure identity servicesMobilize your workforce with secure identity services
Mobilize your workforce with secure identity servicesSumana Mehta
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Systems, Inc.
 
gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1Anne Starr
 
6 Ways to Get More From Your Azure
6 Ways to Get More From Your Azure6 Ways to Get More From Your Azure
6 Ways to Get More From Your AzureHolly Plude
 

Similar to Implementing MITREid - CIS 2014 Presentation (20)

CIS14: Implementing MITREid
CIS14: Implementing MITREidCIS14: Implementing MITREid
CIS14: Implementing MITREid
 
Anonymous Individual Integration for IoT
Anonymous Individual Integration for IoTAnonymous Individual Integration for IoT
Anonymous Individual Integration for IoT
 
OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
Introducing OpenAthens Cloud for content providers
Introducing OpenAthens Cloud for content providersIntroducing OpenAthens Cloud for content providers
Introducing OpenAthens Cloud for content providers
 
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsHow to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
 
SMB Security Product Overview.pptx
SMB Security Product Overview.pptxSMB Security Product Overview.pptx
SMB Security Product Overview.pptx
 
Connecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldConnecting The Real World With The Virtual World
Connecting The Real World With The Virtual World
 
Solution day : Running infrastructure like a cloud speed and agile
Solution day : Running infrastructure like a cloud speed and agileSolution day : Running infrastructure like a cloud speed and agile
Solution day : Running infrastructure like a cloud speed and agile
 
Windows Azure Security & Compliance
Windows Azure Security & ComplianceWindows Azure Security & Compliance
Windows Azure Security & Compliance
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
Cyber security event
Cyber security eventCyber security event
Cyber security event
 
Primendi Pilveseminar - Enterprise Mobility suite
Primendi Pilveseminar - Enterprise Mobility suitePrimendi Pilveseminar - Enterprise Mobility suite
Primendi Pilveseminar - Enterprise Mobility suite
 
Mobilize your workforce with secure identity services
Mobilize your workforce with secure identity servicesMobilize your workforce with secure identity services
Mobilize your workforce with secure identity services
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management Suite
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1
 
6 Ways to Get More From Your Azure
6 Ways to Get More From Your Azure6 Ways to Get More From Your Azure
6 Ways to Get More From Your Azure
 
6 Ways to Get More From Your Azure
6 Ways to Get More From Your Azure6 Ways to Get More From Your Azure
6 Ways to Get More From Your Azure
 
6 Ways to Get More From Your Azure
6 Ways to Get More From Your Azure6 Ways to Get More From Your Azure
6 Ways to Get More From Your Azure
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 

Implementing MITREid - CIS 2014 Presentation

Editor's Notes

  1. It’s 2009. I’m not part of corporate IT, but I build interesting stuff that people want to use.
  2. Make everybody sign up for accounts
  3. But now I have to do key management And I’ll probably get it wrong
  4. But mine isn’t the only application that people use Bad UX Password management Extra credentials floating around And I probably got something wrong Besides, the user already has an account, let’s use that…
  5. Use same password across many sites, all backed by the same user store
  6. Benevolent MITM: user sends me their credentials directly, I replay those credentials against another service to make sure they’re good. Site could easily replay user credentials somewhere else, and users still need to enter UN/PW I never want to see your passwords! Plus, it’s not an HTTP protocol
  7. Why not use traditional enterprise SSO? Users get a cookie that represents them, it’s easy to integrate, it’s how we’ve always done it…
  8. HAHA: No. SSO domains are closely guarded and protected, centrally controlled I’m not an official IT app developer, I don’t have permission (and often can’t get permission) Many implementations suffer from the same MITM problems via domain-wide cookies (this has been used as a “feature” to proxy content for users)
  9. Additionally, the traditional SSO approach can’t extend to sites outside the firewall.
  10. “Welcome to your first day, now go get a gmail account so we can get started.” We give employees a phone, we give them an email address, why not an identity?
  11. OpenID 2.0 server backed by corporate SSO “We do SSO so you don’t have to” Running on corporate hardware in corporate environment Funded by a (tiny) corporate research initiative
  12. Automatically cross-platform
  13. Libraries available for OpenID 2.0 in a wide array of languages and platforms. One discussion with identity vendor: “We support *both* platforms!” … ?
  14. User is inside, the site they’re accessing is also inside. Typical development prototype system, driving much of my original use case.
  15. User is inside, site is on the outside. This bridges corporate SSO credentials to an outside site, like Stack Overflow. MITRE now has a nearly-SSO user experience for a site that we have no contract or other special relationship with. Think about the implications of that.
  16. User outside, site outside. We want more factors (especially with personal devices) but want to allow access to any external sites. We do *not* allow people to tunnel into the firewall.
  17. We have deployed both OpenID 2.0 and OpenID Connect using this architecture Shared DNS between servers (both look like “id.mitre.org”)
  18. Screenshot of MITREid OpenID 2.0 server Security decisions for users If you don’t know the answer to a trust question, ask the end user. Remember the decision. Log the event. TOFU: Trust On First Use.
  19. MITRE’s Handshake system (at the time another research prototype, now a well-used production service) is hosted outside of MITRE’s firewall to allow external user access. Handshake needed a mechanism that allowed MITRE people to log in using SSO credentials. They used the OpenID prototype to great success. Handshake is whitelisted by the OpenID server, meaning most users have an SSO-experience and don’t realize they’re using OpenID at all.
  20. Each bar is one site that was used, at least once, at the OpenID 2.0 server Logarithmic scale, number of users per site. Traditional IT likes to take care of the top couple sites (the “80%” rule) But what about all the sites with 5 users? 50 users? Most of the top ten aren’t whitelisted – some of the top sites aren’t even run by MITRE! There are 416 total sites There are 7896 total users There are 12611 total site approvals.
  21. Somebody had set up a Gitorious instance inside the firewall. Gitorious already had built-in OpenID 2.0 support. I typed in my identifier and it just worked.
  22. id.mitre.org: current MITRE users partnerid.mitre.org: extneral-to-MITRE username/password accounts cacproxy.mitre.org: DoD CAC holders We can separate classes of users foremost based on their IdP of origin In the future we hope to have other IdPs not run by MITRE
  23. We tried to make our OpenID 2.0 system as compatible and capable as possible (PAPE, SREG, AX, directed identities), but the world was starting to look into future capabilities of OAuth2 and OpenID Connect
  24. MITREid Connect MITREid was built on a shoestring budget with duct tape and bailing wire, MITREid Connect was engineered much more deliberately and released as open source (before any code was developed
  25. Apache 2.0 license Transitioned to MIT KIT in fall 2013 (co-owned by MITRE) MITRE continues to contribute through the OSS process
  26. Server and client in Java / Spring / Spring Security Related projects: JWK generator, JS account chooser, example custom server, example custom client All major development, bugs, documentation done on GitHub (small adaptor layers for
  27. Track and help build the specifications in IETF and OIDF Bring our use cases to the table and participate in the discussions, make sure the general solution is robust and powerful for all
  28. No need for domain-wide cookies to get SSO-like behavior (like “classic” enterprise SSO uses) Primary and global-secondary credentials aren’t leaked through sites, pairwise authentication only
  29. (incidentally, that back-end connection is where OAuth comes in, and we’re also using that extensively)
  30. We can revoke access to specific sites autonomously at the IdP Different sites get different parts of my identity
  31. Don’t need to ask a sysadmin’s permission (!!) Support across a wide variety of platforms and use cases
  32. Avoid mass upgrades to all the sites that are connected to your infrastructure (as long as the protocol doesn’t change) When we switched from CA SiteMinder to Oracle Access Manager, the hundreds of sites (MITRE and not) that were using the OpenID system never even knew the change happened.
  33. End users know what they’re trying to do – ask them to make the decisions (in the right circumstances)