Synergisticly using digital identity to securely adopt cloud computing, mobile, and social. Introduction to the "Neo Security Stack" of digital identity standards, namely OpenID Connect, OAuth, JWT, and SCIM and how to use them together.
Synergies of Cloud Identity: Putting it All Together
1. Synergies of Cloud Identity: Putting it All
Together
By Travis Spencer, CEO
2. Agenda
• Impact of mobile and cloud on business
• Central role of identity in coping with these
changes
• Using the different identity specs together to
this end
Copyright (C) 2012 Twobo Technologies AB
3. Mobile is Changing Business
• 75% of mobiles in Scandinavia
are smartphones; 50% in rest of
Europe & US
• BYOD is a foregone conclusion
for most
– 90% of orgs will support corporate
apps on personal devices by 2014
• 80% of orgs will use tablets by
next year
Copyright (C) 2012 Twobo Technologies AB
4. Mobilizing Business Processes
• Workflows are a business’s
circulatory system
• Automation and efficiency
are critical
• Mobile helps optimizes
these processes
Copyright (C) 2012 Twobo Technologies AB
5. Reusing Existing Technology
• Prior technology
investments will remain on
the books for years
• Existing data/systems
must be available to mobile
users and cloud services
• IT organizations need to
bridge the old and new
technologies
Copyright (C) 2012 Twobo Technologies AB
6. Seamless Access to Cloud Apps
• Giving employees new passwords for each
cloud app is not secure or scalable
• 123456 is not a secure password, but cloud
providers allows it!
• Existing OTP tokens are not supported
• Seamless cloud access is required
Copyright (C) 2012 Twobo Technologies AB
7. Crucial Security Concerns
Enterprise API Mobile
Security Security Security
Copyright (C) 2012 Twobo Technologies AB
8. Identity is Central
Mobile
Security
MDM MAM
Identity
Enterprise A
u API
Security t Security
h
Z
Copyright (C) 2012 Twobo Technologies AB Venn diagram by Gunnar Peterson
9. Neo-security Stack
OpenID Connect
• SCIM, SAML, OAuth, and JWT are the new
standards-based cloud security stack
• OAuth 2 is the new meta-protocol defining
how tokens are handled
• These address old requirements, solves
new problems & are composed
in useful ways Grandpa SAML
& junior
• WS- again?
Copyright (C) 2012 Twobo Technologies AB
10. SAML + OAuth
• Relay OAuth token in SAML
messages
• Use SAML tokens to authenticate
OAuth clients or as the AS’s output
token format
• Use SAML SSO to authenticate
users to AS
Copyright (C) 2012 Twobo Technologies AB
11. SCIM + OAuth
• Use OAuth to secure
SCIM API calls
• Use SCIM to create
accounts needed to
access APIs secured
using OAuth
Copyright (C) 2012 Twobo Technologies AB
12. Push Tokens & Pull Identities
IdP/SCIM Server SP / SCIM Client
User Data
Get User
Access token in
federation message
Browser
Copyright (C) 2012 Twobo Technologies AB
13. SCIM + SAML/OIC
• Carry SCIM attributes in SAML assertions
(bindings for SCIM)
– Enables JIT provisioning
– Supplements SCIM API & schema
• Provisioning accounts using SCIM API to
updated before/after logon
Copyright (C) 2012 Twobo Technologies AB
14. OpenID Connect
• Builds on OAuth for profile sharing
• Uses the flows optimized for user-consent
scenarios
• Adds identity-based inputs/outputs to core
OAuth messages
• Tokens are JWTs
Copyright (C) 2012 Twobo Technologies AB
15. User Managed Access
• Also extends OAuth 2
• Allows users to centrally
control distribution of
their identity data
• Used with Personal Data
Stores (PDS) to create
“identity data lockers”
Copyright (C) 2012 Twobo Technologies AB