SlideShare une entreprise Scribd logo
1  sur  30
Télécharger pour lire hors ligne
Copyright ©2013 Ping Identity Corporation. All rights reserved.1
Identity at Scale
Hans Zandbelt
CTO Office – Ping Identity
CIS 2013
Copyright ©2013 Ping Identity Corporation. All rights reserved.2
•  Trends and Standards
•  Identity at Scale
•  Recommendations
Contents
Copyright ©2013 Ping Identity Corporation. All rights reserved.3
Trends
•  Cloud (SaaS), Mobile,
Social
–  Authentication:
SAML -> +OpenID
Connect
•  Web -> API
–  Core business:
information and
data, not
presentation
•  Internet of Things
•  Mutual authentication?
–  controlling other
cars, toasters,
lightbulbs
Copyright ©2013 Ping Identity Corporation. All rights reserved.4
•  Standards
–  Interoperability: need to deal with another vendor’s API/
product? Not an app for every thing in the IoT!
–  cross-domain
–  competition, replaceable implementations, leading to good
but cheap products?
•  APIs
–  Light-weight, SOAP -> REST/OAuth 2.0
•  Web SSO
–  Enterprise/Customer Identity, Consumer Identity
–  SAML -> OpenID Connect : scale?
•  OpenID Connect
–  Simplicity for clients/RPs -> complexity shifted to the OP
Standards (the nice thing is…)
Copyright ©2013 Ping Identity Corporation. All rights reserved.5
IDENTITY AT SCALE
Copyright ©2013 Ping Identity Corporation. All rights reserved.6
1-1 Federated Identity Today
•  Increase of Cloud/SaaS
adoption
–  # federated SSO
applications (SAML)
–  # partner connections
–  # connection
management overhead
(*)
•  But(!) also for “incidental”
connections
–  How to obtain updates
•  Authoritative
source -> trust
•  Infrastructure:
authenticated
source (e-mail…)
–  How to configure them
•  Automated
•  Managed,
outsourced
IDP
IDP
IDP
SP
SP
SP
Copyright ©2013 Ping Identity Corporation. All rights reserved.7
•  Metadata related (not so standard for other-than-SAML
protocols)
–  key material
–  SSO service URLs
–  point of contact
•  Attributes
–  could be metadata, often isn’t
–  may be bilateral (!)
–  required/optional, consent
•  Policies
–  contractual agreements
–  privacy
•  End-user/application/SSO related
–  how users can sign in (relation to service URLs)
–  change in look and feel
–  change in functionality
(*) Connection Management
<md>
Copyright ©2013 Ping Identity Corporation. All rights reserved.8
Metadata - SAML 2.0
•  Technical Trust
•  X.509 Certificate
–  Anchored vs.
unanchored
–  Key vs. other cert
info
•  URLs/Bindings
•  Contact info
–  Company name,
admin/tech contact
<md:EntityDescriptor!
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"!
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"!
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"!
entityID="https://idp.example.org/SAML2">!
!
<!-- insert ds:Signature element -->!
!
<md:IDPSSODescriptor!
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">!
!
<md:KeyDescriptor use="signing">!
<ds:KeyInfo>…</ds:KeyInfo>!
</md:KeyDescriptor>!
!
<md:SingleSignOnService!
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"!
Location="https://idp.example.org/SAML2/SSO/POST"/>!
<md:SingleSignOnService!
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"!
Location="https://idp.example.org/SAML2/Artifact"/>!
!
</md:IDPSSODescriptor>!
!
<md:Organization>!
<md:OrganizationName xml:lang="en">!
SAML Identity Provider !
</md:OrganizationName>!
<md:OrganizationURL xml:lang="en">!
http://www.idp.example.org/!
</md:OrganizationURL>!
</md:Organization>!
!
<md:ContactPerson contactType="technical">!
<md:SurName>SAML IdP Support</md:SurName>!
<md:EmailAddress>mailto:saml-support@idp.example.org</
md:EmailAddress>!
</md:ContactPerson>!
!
</md:EntityDescriptor>!
Copyright ©2013 Ping Identity Corporation. All rights reserved.9
Connection Management Metadata/Technical Issues
•  Conn Mgmt often a
one-shot process (cq.
a snapshot)
•  Certificate expiry and
update
•  Contact info update
•  URL and binding
updates
•  Changes in IDP
discovery process
•  Metadata documents
can contribute to the
solution, but how to
scale exchange?
Key Rollover
Contact Info
Bindings & URLs
Copyright ©2013 Ping Identity Corporation. All rights reserved.10
Contrary to popular belief:
The connection management problem is NOT
specific to SAML; any federated authentication
system deployed on true internet scale will have
to address this issue.
So: any solution should be protocol agnostic.
BE AWARE
Copyright ©2013 Ping Identity Corporation. All rights reserved.11
TOWARDS A SOLUTION
What can we do?
Copyright ©2013 Ping Identity Corporation. All rights reserved.12
Solution Approach (n=2): Shared Conn. Mgmt.
•  Single/central/shared
point of connection
management (trust)
•  Trusted 3rd party
–  From: user trust
scale through 2nd
party to SP/IDP trust
through 3rd-party
•  Compares to TLS and
a Certificate Authority
or DNS
•  Challenge
–  How to create a
trusted channel
Shared Service
IDP
IDP
IDP
SP
SP
SP
Copyright ©2013 Ping Identity Corporation. All rights reserved.13
A shared service… where does it apply?
•  intra-enterprise
–  large distributed
organizations, both
infrastructure and
responsibilities/trust
(acquisitions and
mergers)
–  connect multiple
applications to a
variety of externals &
internals; “user
access firewall”
•  inter-enterprise
–  verticals: healthcare,
automotive, banking/
financial, education
but also "cross e-Gov”
–  homogeneous(!)
group with shared
interest/organization
IDP SP
IDP SP
IDP SP
IDP SP
Copyright ©2013 Ping Identity Corporation. All rights reserved.14
A Next Step In Architecture Evolution…
Application Server
App 1
Fed Fed Fed
App 2 App 3
App Server or
Access System
App 1
Federation
App 2 App 3
App Server
App 1
Federation Server
App 2 App 3
App Server
App Srv
App 1
Fed Server
App 2
App Srv
Connection Management
App Server
App 3
Fed Fed
App 4
1
2 3
4
Copyright ©2013 Ping Identity Corporation. All rights reserved.15
Solution 1: Proxy
•  Indirect peer-to-peer
communication
•  Trust proxy only, relay
to peers, inband
•  Shift the metadata
problem to a central
facility: no distr. mgmt
•  Technical trust may be
combined with
organizational trust
•  Connection Mgmt
–  MxN -> M+N
•  Accommodate for diff
SAML implementations
•  Protocol translations
are possible
Operator
IDP
IDP
IDP
SP
SP
SP
SAML
Proxy
SP-IDP
SAML
Copyright ©2013 Ping Identity Corporation. All rights reserved.16
Benefits
•  Scalability of trust
–  Technical: single
connection to proxy,
central management
of partner
connections
–  Organizational: trust
in proxy operator
•  Updates
–  outsourced to the
proxy; proxy to
solve…
•  Discovery & Autoconf
–  Outsourced to the
proxy; proxy to
solve…
Centralized Trust Mgmt
Updates
Discovery & Autoconf
Copyright ©2013 Ping Identity Corporation. All rights reserved.17
Solution 2: Metadata Service
•  aka. multi-party
federation
•  Higher Education &
Research
–  InCommon, UK
Access Federation
–  40+ across the world
•  Business Verticals
–  Healthcare
–  Finance
–  e-Gov
•  Async technical trust
•  Sync direct peer-to-
peer communication
•  Metadata upload (!)
Federation Operator
IDP
IDP
IDP
SP
SP
SP
SAML
Metadata
Copyright ©2013 Ping Identity Corporation. All rights reserved.18
Distribution variants (SAML 2.0 metadata)
•  Flat file based (classic)
–  > 10 Mb files for large
federations
(EntitiesDescriptor)
•  Query-based (MDX)
•  Well known location for
metadata
–  EntityID-is-URL-to-
Metadata
–  SAML auto-connect
(Ping Identity)
•  DNS based (registry)
•  Trust
1.  signed metadata
2.  trusted registry
3.  SSL CA
IDP SP IDP SP
IDP SP IDP SP
IDP
IDP
D
N
S
IDP
D
N
S
1 2 3
Copyright ©2013 Ping Identity Corporation. All rights reserved.19
Metadata Expiry (!)
•  Attributes on Entity and
Entities level: validUntil
and cacheDuration
•  On EntitiesDescriptor
and EntityDescriptor
level
•  use only validUntil to
enforce expiration
•  use cacheDuration to
override (downward)
the refresh interval
•  keep using (valid)
metadata if the refresh
fails
d!
t1!
t1+d!
t1+2d!
v=t2!
t2+d!
t2+2d!
d = cacheDuration (interval)!
v = validUntil (timestamp)!
d!
Copyright ©2013 Ping Identity Corporation. All rights reserved.20
Benefits
•  Scalability of trust
–  Technical: removes
need to exchange
metadata on peer-to-
peer basis
–  Organizational:
federation operator
does IDP and SP
vetting through
contractual
agreements
•  Key rollover
–  Include multiple
signing keys for a
<validUntil> period
•  Discovery and auto-
configuration
–  Building block…
Scalability of Trust
Key Rollover
Discovery & Autoconf
Copyright ©2013 Ping Identity Corporation. All rights reserved.21
Metadata Service layering: interfederation
Interfederation Operator
IDP
IDP
SP
SP
IDP
IDP
SP
SP
Metadata Metadata
Aggregated Metadata
Copyright ©2013 Ping Identity Corporation. All rights reserved.22
•  MDUI
–  SAML version 2.0 Metadata Extensions for Login and
Discovery User interface, version 1.0
•  Entity attributes
–  SAML V2.0 Metadata Extension for Entity Attributes Version
1.0
–  Generic extension point
•  Signed Entity Attributes
–  Single source of metadata, support multiple trust levels or
hierarchies
•  Other protocols
–  SAML 1.0, SAML 1.1
–  WS-Federation (ADFS 2.0)
–  OpenID 2.0
–  OpenID Connect (?) -> independent registry or attr
SAML 2.0 Metadata extensions
Copyright ©2013 Ping Identity Corporation. All rights reserved.23
Taxonomy + Examples
External
Internal
Model
Proxy Metadata
IDMaaS
(PingOne)
Federation
(InCommon)
Proxy
(PingFed`)
“Metadata
Server”
Deployment
Copyright ©2013 Ping Identity Corporation. All rights reserved.24
•  Proxy
–  PingOne
–  wayf.dk
•  Metadata Service
–  InCommon
–  UK Access Federation
Any SAML product implementation today may
or not support one or both models, in the core
or through customizations.
Solution Examples for SAML 2.0
Copyright ©2013 Ping Identity Corporation. All rights reserved.25
OpenID Connect Metadata (OP and RP)
•  Metadata and key
material separated
•  Use HTTP cache
info for the JWK
set (optional)
•  Multiple keys with
“kids”
– JIT: client
fetches kid if
unknown
•  Client updates
keys with OP
through DynReg
OPRP
JWK set
metadata
JWK set
metadata
Metadata Service
Dynamic
Client
Registration
Copyright ©2013 Ping Identity Corporation. All rights reserved.26
RECOMMENDATIONS
Copyright ©2013 Ping Identity Corporation. All rights reserved.27
•  The problem is not protocol specific (!)
–  Any solution should be multi-protocol enabled or
rather protocol agnostic
•  A shared service, two possible approaches
–  Metadata Service (“automate”) or Proxy
(“outsource”)
•  True Internet scale? Expect combinations (!)
–  Local/enterprise/community: proxy based
–  Protocol Translation: proxy
–  Global: (interconnected) metadata service based
Recommendations
Copyright ©2013 Ping Identity Corporation. All rights reserved.28
•  Registration and publishing service for “endpoint”
metadata
–  Multi-protocol: both SAML 2.0 and OpenID Connect
(OPs)
•  Technical Trust
–  authenticated, trusted source
•  Discovery
–  multiple entities on a single OIDC domain
–  Entities that cannot or will not host their own metadata
–  Replace well-known URL starting point
•  Validation
•  Certification
Metadata Service
Copyright ©2013 Ping Identity Corporation. All rights reserved.29
Future? Not so much!
•  Identity is/as KEY
–  not just users, but
also devices and
applications
•  Unified access policy
implementation across
web and APIs/Mobile
–  Based on identity
•  Enterprise:
–  Single System ->
Identity Bridge
•  Identity Bridge
–  Bridge external SAML
and OpenID Connect
to internal OpenID
Connect (both ends
standardized)
Copyright ©2013 Ping Identity Corporation. All rights reserved.30
Thank You
Q&A
@hanszandbelt
Ping Identity

Contenu connexe

Tendances

Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingOKsystem
 
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian JaffeCIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian JaffeCloudIDSummit
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...CA Technologies
 
SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15Mike Lemons
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
CIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCloudIDSummit
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateCraig Wu
 
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...Michael Noel
 
Simplifying User Access with NetScaler SDX and CA Single Sign-on
 Simplifying User Access with NetScaler SDX and CA Single Sign-on Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-onCA Technologies
 
Gartner Catalyst Savvis Cloud API Case Study
Gartner Catalyst   Savvis Cloud API Case StudyGartner Catalyst   Savvis Cloud API Case Study
Gartner Catalyst Savvis Cloud API Case StudyCA API Management
 
EDI WS API ECGridOS Web Services
EDI WS API ECGridOS Web ServicesEDI WS API ECGridOS Web Services
EDI WS API ECGridOS Web Servicesbizquirk
 
Deploying an Extranet on SharePoint
Deploying an Extranet on SharePointDeploying an Extranet on SharePoint
Deploying an Extranet on SharePointAlan Marshall
 
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-OnCIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-OnCloudIDSummit
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsJohn Bauer
 
InterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825  cics_and_the_new soaInterConnect 2015 session 2825  cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soanick_garrod
 
SharePoint 2010 anywhere access uag vs dmz
SharePoint 2010 anywhere access uag vs dmz SharePoint 2010 anywhere access uag vs dmz
SharePoint 2010 anywhere access uag vs dmz Kjell-Sverre Jerijærvi
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsNordic APIs
 

Tendances (20)

Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
 
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian JaffeCIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
 
DDS Web Enabled
DDS Web EnabledDDS Web Enabled
DDS Web Enabled
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
 
SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
CIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity Service
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederate
 
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
 
Simplifying User Access with NetScaler SDX and CA Single Sign-on
 Simplifying User Access with NetScaler SDX and CA Single Sign-on Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on
 
Gartner Catalyst Savvis Cloud API Case Study
Gartner Catalyst   Savvis Cloud API Case StudyGartner Catalyst   Savvis Cloud API Case Study
Gartner Catalyst Savvis Cloud API Case Study
 
EDI WS API ECGridOS Web Services
EDI WS API ECGridOS Web ServicesEDI WS API ECGridOS Web Services
EDI WS API ECGridOS Web Services
 
Deploying an Extranet on SharePoint
Deploying an Extranet on SharePointDeploying an Extranet on SharePoint
Deploying an Extranet on SharePoint
 
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-OnCIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
 
InterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825  cics_and_the_new soaInterConnect 2015 session 2825  cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soa
 
Thiramas
ThiramasThiramas
Thiramas
 
SharePoint 2010 anywhere access uag vs dmz
SharePoint 2010 anywhere access uag vs dmz SharePoint 2010 anywhere access uag vs dmz
SharePoint 2010 anywhere access uag vs dmz
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashups
 

En vedette

CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards
CIS13: Hope or Hype: A Look at the Next Generation of Identity StandardsCIS13: Hope or Hype: A Look at the Next Generation of Identity Standards
CIS13: Hope or Hype: A Look at the Next Generation of Identity StandardsCloudIDSummit
 
CIS13: Identity Trends and Transients
CIS13: Identity Trends and TransientsCIS13: Identity Trends and Transients
CIS13: Identity Trends and TransientsCloudIDSummit
 
2016 04-26 webinar - consumer-focused identity management
2016 04-26 webinar - consumer-focused identity management2016 04-26 webinar - consumer-focused identity management
2016 04-26 webinar - consumer-focused identity managementshivan82
 
Consumer Identity Management
Consumer Identity ManagementConsumer Identity Management
Consumer Identity Managementwebhostingguy
 
CIS13: OpenID Connect: How it Solves your Problems
CIS13: OpenID Connect: How it Solves your ProblemsCIS13: OpenID Connect: How it Solves your Problems
CIS13: OpenID Connect: How it Solves your ProblemsCloudIDSummit
 
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and BeyondPush, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and BeyondIan Glazer
 

En vedette (6)

CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards
CIS13: Hope or Hype: A Look at the Next Generation of Identity StandardsCIS13: Hope or Hype: A Look at the Next Generation of Identity Standards
CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards
 
CIS13: Identity Trends and Transients
CIS13: Identity Trends and TransientsCIS13: Identity Trends and Transients
CIS13: Identity Trends and Transients
 
2016 04-26 webinar - consumer-focused identity management
2016 04-26 webinar - consumer-focused identity management2016 04-26 webinar - consumer-focused identity management
2016 04-26 webinar - consumer-focused identity management
 
Consumer Identity Management
Consumer Identity ManagementConsumer Identity Management
Consumer Identity Management
 
CIS13: OpenID Connect: How it Solves your Problems
CIS13: OpenID Connect: How it Solves your ProblemsCIS13: OpenID Connect: How it Solves your Problems
CIS13: OpenID Connect: How it Solves your Problems
 
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and BeyondPush, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
 

Similaire à CIS13: Identity at Scale

CIS14: Identity at Scale: Next Gen Federation Architectures
CIS14: Identity at Scale: Next Gen Federation ArchitecturesCIS14: Identity at Scale: Next Gen Federation Architectures
CIS14: Identity at Scale: Next Gen Federation ArchitecturesCloudIDSummit
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Arnaud Le Hors
 
Introduction to Event-Driven Architecture
Introduction to Event-Driven Architecture Introduction to Event-Driven Architecture
Introduction to Event-Driven Architecture Solace
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileNordic APIs
 
Company and Market Overview
Company and Market OverviewCompany and Market Overview
Company and Market OverviewOkta-Inc
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsThousandEyes
 
Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...
Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...
Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...Amazon Web Services
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Systems, Inc.
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationChristian Glahn
 
Getting Started With ThousandEyes Proof of Concepts: End User Digital Experience
Getting Started With ThousandEyes Proof of Concepts: End User Digital ExperienceGetting Started With ThousandEyes Proof of Concepts: End User Digital Experience
Getting Started With ThousandEyes Proof of Concepts: End User Digital ExperienceThousandEyes
 
Solace Singapore User Group: Dell Boomi Presentation
Solace Singapore User Group: Dell Boomi PresentationSolace Singapore User Group: Dell Boomi Presentation
Solace Singapore User Group: Dell Boomi PresentationSolace
 
Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7
Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7 Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7
Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7 CA API Management
 
Federation Services
Federation ServicesFederation Services
Federation ServicesEmpowerID
 
Fédération d’identité : des concepts Théoriques aux études de cas d’implément...
Fédération d’identité : des concepts Théoriques aux études de cas d’implément...Fédération d’identité : des concepts Théoriques aux études de cas d’implément...
Fédération d’identité : des concepts Théoriques aux études de cas d’implément...e-Xpert Solutions SA
 
Using IBM DataPower for rapid security and application integration with an op...
Using IBM DataPower for rapid security and application integration with an op...Using IBM DataPower for rapid security and application integration with an op...
Using IBM DataPower for rapid security and application integration with an op...Gennadiy Civil
 
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)Okta-Inc
 
The Case For Next Generation IAM
The Case For Next Generation IAM The Case For Next Generation IAM
The Case For Next Generation IAM Patrick Harding
 

Similaire à CIS13: Identity at Scale (20)

CIS14: Identity at Scale: Next Gen Federation Architectures
CIS14: Identity at Scale: Next Gen Federation ArchitecturesCIS14: Identity at Scale: Next Gen Federation Architectures
CIS14: Identity at Scale: Next Gen Federation Architectures
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
 
Introduction to Event-Driven Architecture
Introduction to Event-Driven Architecture Introduction to Event-Driven Architecture
Introduction to Event-Driven Architecture
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and Mobile
 
Company and Market Overview
Company and Market OverviewCompany and Market Overview
Company and Market Overview
 
Taw opening session
Taw opening sessionTaw opening session
Taw opening session
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of Concepts
 
Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...
Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...
Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management Suite
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and Implementation
 
Getting Started With ThousandEyes Proof of Concepts: End User Digital Experience
Getting Started With ThousandEyes Proof of Concepts: End User Digital ExperienceGetting Started With ThousandEyes Proof of Concepts: End User Digital Experience
Getting Started With ThousandEyes Proof of Concepts: End User Digital Experience
 
Solace Singapore User Group: Dell Boomi Presentation
Solace Singapore User Group: Dell Boomi PresentationSolace Singapore User Group: Dell Boomi Presentation
Solace Singapore User Group: Dell Boomi Presentation
 
Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7
Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7 Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7
Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7
 
SSO Manager
SSO ManagerSSO Manager
SSO Manager
 
Federation Services
Federation ServicesFederation Services
Federation Services
 
Fédération d’identité : des concepts Théoriques aux études de cas d’implément...
Fédération d’identité : des concepts Théoriques aux études de cas d’implément...Fédération d’identité : des concepts Théoriques aux études de cas d’implément...
Fédération d’identité : des concepts Théoriques aux études de cas d’implément...
 
Using IBM DataPower for rapid security and application integration with an op...
Using IBM DataPower for rapid security and application integration with an op...Using IBM DataPower for rapid security and application integration with an op...
Using IBM DataPower for rapid security and application integration with an op...
 
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
 
The Case For Next Generation IAM
The Case For Next Generation IAM The Case For Next Generation IAM
The Case For Next Generation IAM
 

Plus de CloudIDSummit

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content HighlightsCloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication   reasons for optimism 20150607 v2Mobile security, identity & authentication   reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM  in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM  in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015  Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015  Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCloudIDSummit
 

Plus de CloudIDSummit (20)

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication   reasons for optimism 20150607 v2Mobile security, identity & authentication   reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM  in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM  in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015  Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015  Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
 

Dernier

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum ComputingGDSC PJATK
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 

Dernier (20)

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum Computing
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 

CIS13: Identity at Scale

  • 1. Copyright ©2013 Ping Identity Corporation. All rights reserved.1 Identity at Scale Hans Zandbelt CTO Office – Ping Identity CIS 2013
  • 2. Copyright ©2013 Ping Identity Corporation. All rights reserved.2 •  Trends and Standards •  Identity at Scale •  Recommendations Contents
  • 3. Copyright ©2013 Ping Identity Corporation. All rights reserved.3 Trends •  Cloud (SaaS), Mobile, Social –  Authentication: SAML -> +OpenID Connect •  Web -> API –  Core business: information and data, not presentation •  Internet of Things •  Mutual authentication? –  controlling other cars, toasters, lightbulbs
  • 4. Copyright ©2013 Ping Identity Corporation. All rights reserved.4 •  Standards –  Interoperability: need to deal with another vendor’s API/ product? Not an app for every thing in the IoT! –  cross-domain –  competition, replaceable implementations, leading to good but cheap products? •  APIs –  Light-weight, SOAP -> REST/OAuth 2.0 •  Web SSO –  Enterprise/Customer Identity, Consumer Identity –  SAML -> OpenID Connect : scale? •  OpenID Connect –  Simplicity for clients/RPs -> complexity shifted to the OP Standards (the nice thing is…)
  • 5. Copyright ©2013 Ping Identity Corporation. All rights reserved.5 IDENTITY AT SCALE
  • 6. Copyright ©2013 Ping Identity Corporation. All rights reserved.6 1-1 Federated Identity Today •  Increase of Cloud/SaaS adoption –  # federated SSO applications (SAML) –  # partner connections –  # connection management overhead (*) •  But(!) also for “incidental” connections –  How to obtain updates •  Authoritative source -> trust •  Infrastructure: authenticated source (e-mail…) –  How to configure them •  Automated •  Managed, outsourced IDP IDP IDP SP SP SP
  • 7. Copyright ©2013 Ping Identity Corporation. All rights reserved.7 •  Metadata related (not so standard for other-than-SAML protocols) –  key material –  SSO service URLs –  point of contact •  Attributes –  could be metadata, often isn’t –  may be bilateral (!) –  required/optional, consent •  Policies –  contractual agreements –  privacy •  End-user/application/SSO related –  how users can sign in (relation to service URLs) –  change in look and feel –  change in functionality (*) Connection Management <md>
  • 8. Copyright ©2013 Ping Identity Corporation. All rights reserved.8 Metadata - SAML 2.0 •  Technical Trust •  X.509 Certificate –  Anchored vs. unanchored –  Key vs. other cert info •  URLs/Bindings •  Contact info –  Company name, admin/tech contact <md:EntityDescriptor! xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"! xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"! xmlns:ds="http://www.w3.org/2000/09/xmldsig#"! entityID="https://idp.example.org/SAML2">! ! <!-- insert ds:Signature element -->! ! <md:IDPSSODescriptor! protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">! ! <md:KeyDescriptor use="signing">! <ds:KeyInfo>…</ds:KeyInfo>! </md:KeyDescriptor>! ! <md:SingleSignOnService! Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"! Location="https://idp.example.org/SAML2/SSO/POST"/>! <md:SingleSignOnService! Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"! Location="https://idp.example.org/SAML2/Artifact"/>! ! </md:IDPSSODescriptor>! ! <md:Organization>! <md:OrganizationName xml:lang="en">! SAML Identity Provider ! </md:OrganizationName>! <md:OrganizationURL xml:lang="en">! http://www.idp.example.org/! </md:OrganizationURL>! </md:Organization>! ! <md:ContactPerson contactType="technical">! <md:SurName>SAML IdP Support</md:SurName>! <md:EmailAddress>mailto:saml-support@idp.example.org</ md:EmailAddress>! </md:ContactPerson>! ! </md:EntityDescriptor>!
  • 9. Copyright ©2013 Ping Identity Corporation. All rights reserved.9 Connection Management Metadata/Technical Issues •  Conn Mgmt often a one-shot process (cq. a snapshot) •  Certificate expiry and update •  Contact info update •  URL and binding updates •  Changes in IDP discovery process •  Metadata documents can contribute to the solution, but how to scale exchange? Key Rollover Contact Info Bindings & URLs
  • 10. Copyright ©2013 Ping Identity Corporation. All rights reserved.10 Contrary to popular belief: The connection management problem is NOT specific to SAML; any federated authentication system deployed on true internet scale will have to address this issue. So: any solution should be protocol agnostic. BE AWARE
  • 11. Copyright ©2013 Ping Identity Corporation. All rights reserved.11 TOWARDS A SOLUTION What can we do?
  • 12. Copyright ©2013 Ping Identity Corporation. All rights reserved.12 Solution Approach (n=2): Shared Conn. Mgmt. •  Single/central/shared point of connection management (trust) •  Trusted 3rd party –  From: user trust scale through 2nd party to SP/IDP trust through 3rd-party •  Compares to TLS and a Certificate Authority or DNS •  Challenge –  How to create a trusted channel Shared Service IDP IDP IDP SP SP SP
  • 13. Copyright ©2013 Ping Identity Corporation. All rights reserved.13 A shared service… where does it apply? •  intra-enterprise –  large distributed organizations, both infrastructure and responsibilities/trust (acquisitions and mergers) –  connect multiple applications to a variety of externals & internals; “user access firewall” •  inter-enterprise –  verticals: healthcare, automotive, banking/ financial, education but also "cross e-Gov” –  homogeneous(!) group with shared interest/organization IDP SP IDP SP IDP SP IDP SP
  • 14. Copyright ©2013 Ping Identity Corporation. All rights reserved.14 A Next Step In Architecture Evolution… Application Server App 1 Fed Fed Fed App 2 App 3 App Server or Access System App 1 Federation App 2 App 3 App Server App 1 Federation Server App 2 App 3 App Server App Srv App 1 Fed Server App 2 App Srv Connection Management App Server App 3 Fed Fed App 4 1 2 3 4
  • 15. Copyright ©2013 Ping Identity Corporation. All rights reserved.15 Solution 1: Proxy •  Indirect peer-to-peer communication •  Trust proxy only, relay to peers, inband •  Shift the metadata problem to a central facility: no distr. mgmt •  Technical trust may be combined with organizational trust •  Connection Mgmt –  MxN -> M+N •  Accommodate for diff SAML implementations •  Protocol translations are possible Operator IDP IDP IDP SP SP SP SAML Proxy SP-IDP SAML
  • 16. Copyright ©2013 Ping Identity Corporation. All rights reserved.16 Benefits •  Scalability of trust –  Technical: single connection to proxy, central management of partner connections –  Organizational: trust in proxy operator •  Updates –  outsourced to the proxy; proxy to solve… •  Discovery & Autoconf –  Outsourced to the proxy; proxy to solve… Centralized Trust Mgmt Updates Discovery & Autoconf
  • 17. Copyright ©2013 Ping Identity Corporation. All rights reserved.17 Solution 2: Metadata Service •  aka. multi-party federation •  Higher Education & Research –  InCommon, UK Access Federation –  40+ across the world •  Business Verticals –  Healthcare –  Finance –  e-Gov •  Async technical trust •  Sync direct peer-to- peer communication •  Metadata upload (!) Federation Operator IDP IDP IDP SP SP SP SAML Metadata
  • 18. Copyright ©2013 Ping Identity Corporation. All rights reserved.18 Distribution variants (SAML 2.0 metadata) •  Flat file based (classic) –  > 10 Mb files for large federations (EntitiesDescriptor) •  Query-based (MDX) •  Well known location for metadata –  EntityID-is-URL-to- Metadata –  SAML auto-connect (Ping Identity) •  DNS based (registry) •  Trust 1.  signed metadata 2.  trusted registry 3.  SSL CA IDP SP IDP SP IDP SP IDP SP IDP IDP D N S IDP D N S 1 2 3
  • 19. Copyright ©2013 Ping Identity Corporation. All rights reserved.19 Metadata Expiry (!) •  Attributes on Entity and Entities level: validUntil and cacheDuration •  On EntitiesDescriptor and EntityDescriptor level •  use only validUntil to enforce expiration •  use cacheDuration to override (downward) the refresh interval •  keep using (valid) metadata if the refresh fails d! t1! t1+d! t1+2d! v=t2! t2+d! t2+2d! d = cacheDuration (interval)! v = validUntil (timestamp)! d!
  • 20. Copyright ©2013 Ping Identity Corporation. All rights reserved.20 Benefits •  Scalability of trust –  Technical: removes need to exchange metadata on peer-to- peer basis –  Organizational: federation operator does IDP and SP vetting through contractual agreements •  Key rollover –  Include multiple signing keys for a <validUntil> period •  Discovery and auto- configuration –  Building block… Scalability of Trust Key Rollover Discovery & Autoconf
  • 21. Copyright ©2013 Ping Identity Corporation. All rights reserved.21 Metadata Service layering: interfederation Interfederation Operator IDP IDP SP SP IDP IDP SP SP Metadata Metadata Aggregated Metadata
  • 22. Copyright ©2013 Ping Identity Corporation. All rights reserved.22 •  MDUI –  SAML version 2.0 Metadata Extensions for Login and Discovery User interface, version 1.0 •  Entity attributes –  SAML V2.0 Metadata Extension for Entity Attributes Version 1.0 –  Generic extension point •  Signed Entity Attributes –  Single source of metadata, support multiple trust levels or hierarchies •  Other protocols –  SAML 1.0, SAML 1.1 –  WS-Federation (ADFS 2.0) –  OpenID 2.0 –  OpenID Connect (?) -> independent registry or attr SAML 2.0 Metadata extensions
  • 23. Copyright ©2013 Ping Identity Corporation. All rights reserved.23 Taxonomy + Examples External Internal Model Proxy Metadata IDMaaS (PingOne) Federation (InCommon) Proxy (PingFed`) “Metadata Server” Deployment
  • 24. Copyright ©2013 Ping Identity Corporation. All rights reserved.24 •  Proxy –  PingOne –  wayf.dk •  Metadata Service –  InCommon –  UK Access Federation Any SAML product implementation today may or not support one or both models, in the core or through customizations. Solution Examples for SAML 2.0
  • 25. Copyright ©2013 Ping Identity Corporation. All rights reserved.25 OpenID Connect Metadata (OP and RP) •  Metadata and key material separated •  Use HTTP cache info for the JWK set (optional) •  Multiple keys with “kids” – JIT: client fetches kid if unknown •  Client updates keys with OP through DynReg OPRP JWK set metadata JWK set metadata Metadata Service Dynamic Client Registration
  • 26. Copyright ©2013 Ping Identity Corporation. All rights reserved.26 RECOMMENDATIONS
  • 27. Copyright ©2013 Ping Identity Corporation. All rights reserved.27 •  The problem is not protocol specific (!) –  Any solution should be multi-protocol enabled or rather protocol agnostic •  A shared service, two possible approaches –  Metadata Service (“automate”) or Proxy (“outsource”) •  True Internet scale? Expect combinations (!) –  Local/enterprise/community: proxy based –  Protocol Translation: proxy –  Global: (interconnected) metadata service based Recommendations
  • 28. Copyright ©2013 Ping Identity Corporation. All rights reserved.28 •  Registration and publishing service for “endpoint” metadata –  Multi-protocol: both SAML 2.0 and OpenID Connect (OPs) •  Technical Trust –  authenticated, trusted source •  Discovery –  multiple entities on a single OIDC domain –  Entities that cannot or will not host their own metadata –  Replace well-known URL starting point •  Validation •  Certification Metadata Service
  • 29. Copyright ©2013 Ping Identity Corporation. All rights reserved.29 Future? Not so much! •  Identity is/as KEY –  not just users, but also devices and applications •  Unified access policy implementation across web and APIs/Mobile –  Based on identity •  Enterprise: –  Single System -> Identity Bridge •  Identity Bridge –  Bridge external SAML and OpenID Connect to internal OpenID Connect (both ends standardized)
  • 30. Copyright ©2013 Ping Identity Corporation. All rights reserved.30 Thank You Q&A @hanszandbelt Ping Identity