More Related Content Similar to CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian (20) More from CloudIDSummit (20) CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian2. Copyright © 2015 Cloud Identity Summit. All rights reserved. 2
Session Management
Web
3. • Senior Software Developer at PingIdentity
• Software Technology Enthusiast
• Canadian
Copyright © 2015 Cloud Identity Summit. All rights reserved. 3
Jamshid (Jim) Khosravian
(Sorry that I say sorry so much)
4. Agenda
• PingAccess Session Management
• Session Initiation/Creation
• Session Token attributes
• Session Attributes and Timeouts
• Single Logout
• PingAccess Scalability
• Q&A
Copyright © 2015 Cloud Identity Summit. All rights reserved. 4
5. Session Initiation
• PingAccess deployed in front of web apps (Proxy)
• PingAccess Agent installed on the webserver hosting
web app (Agent)
• PingFederate and PingAccess interactions
Copyright © 2015 Cloud Identity Summit. All rights reserved. 5
6. Proxy
Copyright © 2015 Cloud Identity Summit. All rights reserved. 6
3
1
4
2 5
High-level Flow:
1) Resource requested
2) PA checks URL policy –
it's a protected resource. No
PA session. Redirect to PF
to login user.
3) User login, PF session
created / validated.
4) User redirected back to
resource. PA session
created.
5) PA session check – OK.
6) Request OK – forward to
backend resource.
6
7. Agent
Copyright © 2015 Cloud Identity Summit. All rights reserved. 7
3
1
4
2
High-level Flow:
1) Resource requested
2) PA agent forwards request to PA
server
3) PA checks URL policy – it's a
protected resource. No PA session.
Creates Redirect to PF for Agent.
Agent sends redirect back
4) User login, PF session
created / validated.
5) User redirected back to
resource.
6) PA agent forwards request to PA
server
7) PA Checks PF Response – OK
– Creates sessions – Send
Response To Agent
8) PA response – OK – Access
granted – Requested resource
Served
6
75
8
8. Session Initiation
Copyright © 2015 Cloud Identity Summit. All rights reserved. 8
• "Varied" Session Management
handled within IdP Adapters at
time of authentication / SSO
• E.g.:
• HTML Form Adapter
• IWA
• WAM IK (Third-party tokens)
• Session tokens issued upon SSO
& re-issued regularly to handle
idle timeouts
• JWT format (signed or encrypted)
• Contain attributes required by
protected apps & authn level
• Can be scoped per Application
9. Session Token
• JWT
• Signed (JWS)
• Encrypted (JWE)
• Content
• Session Attributes
• (Optional) User Attributes
Copyright © 2015 Cloud Identity Summit. All rights reserved. 9
10. Session Token (cont’d)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 10
Received PF ID Token (Signed) PA Session Token (Signed)
{
"alg": "RS256",
"kid": "gcs0e"
}.
{
"sub": "joe",
"aud": "PingAccessOIDC",
"jti": "FfCzPyb74vu3va6RNjIBhC",
"iss": "https://synapse.pingfederatelabs.com:9031",
"iat": 1433128115,
"exp": 1433128175,
"pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U",
"nonce": "rhZvrAswWdztaPq-RQSqcSVAWdOiXkRTGeg6y_zVvW0",
"at_hash": "YSO7fz1xkW_kRliDzmJ_Sg"
}.
{
Signature data
}
{
"pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U",
"kid": "7",
"alg": "ES256"
}.
{
"sub": "joe”,
"aud": "global",
"jti": "5c68d4a7-357c-475d-8f01-02c0ddfc90ca",
"iat": 1433128123,
"at_hash": "YSO7fz1xkW_kRliDzmJ_Sg",
"iss": "PingAccess",
"exp": 1433131723,
"pingaccess_refresh_exp": 1433305544,
"access_token": "9TwtEfi4fYnuQkDKUYnRivf8uHIN”,
"phone_number": "+1 (425) 555-1212",
"role": "sales",
"address": {
"street_address": "123 Main Street",
"country": "USA",
"formatted": "123 Main Street, Smallville, ME USA 11223",
"locality": "Smallville",
"region": "ME",
"postal_code": "11223"
}
}.
{
Signature data
}
11. Session Storage
• Client Side
• Session attributes and user attributes inside
session cookie
• Server Side
• Session attributes inside session cookie
• User attributes stored on server
Copyright © 2015 Cloud Identity Summit. All rights reserved. 11
12. Session Storage (cont’d)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 12
Session Token (Server) Session Token (Client)
{
"pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U",
"kid": "7",
"alg": "ES256"
}.
{
"sub": "joe”,
"aud": "global",
"jti": "5c68d4a7-357c-475d-8f01-02c0ddfc90ca",
"iat": 1433128123,
"updated_time": "2011-01-03T23:58:42+0000",
"at_hash": "YSO7fz1xkW_kRliDzmJ_Sg",
"iss": "PingAccess",
"exp": 1433131723,
"access_token": "9TwtEfi4fYnuQkDKUYnRivf8uHIN”
}.
{
Signature data
}
{
"pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U",
"kid": "7",
"alg": "ES256"
}.
{
"sub": "joe”,
"aud": "global",
"jti": "5c68d4a7-357c-475d-8f01-02c0ddfc90ca",
"iat": 1433128123,
"updated_time": "2011-01-03T23:58:42+0000",
"at_hash": "YSO7fz1xkW_kRliDzmJ_Sg",
"iss": "PingAccess",
"exp": 1433131723,
"access_token": "9TwtEfi4fYnuQkDKUYnRivf8uHIN”,
"pingac`cess_refresh_exp": 1433305544,
"phone_number": "+1 (425) 555-1212",
"role": "sales",
"address": {
"street_address": "123 Main Street",
"country": "USA",
"formatted": "123 Main Street, Smallville, ME USA 11223",
"locality": "Smallville",
"postal_code": "11223"
}
}.
{
Signature data
}
13. Session Status check and refresh
• Going back a couple of days … WHAT IF …
Copyright © 2015 Cloud Identity Summit. All rights reserved. 13
WHAT IF THE RIGHT IDENTITY BECOMES
A BAD ACTOR?
WHAT IF IDENTITY IS TOO WEAK & TOO
DISCONNECTED TO PROTECT US AT
SCALE?
14. Session Status check and refresh
• PingFederate Session Reference ID validation
• pi.sri session attribute
• PingFederate Session State Cache (seconds)
• PingAccess User Attribute Refresh
• pingaccess_refresh_exp
• Refresh User Attributes Interval (seconds)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 14
15. Session Timeout
• Idle Timeout (Minutes) default 60 minutes
• Max Timeout (Minutes) default 240 minutes
Copyright © 2015 Cloud Identity Summit. All rights reserved. 15
JWT Attribute Description
"iat": 1433128123 JWT Creation timestamp, will NOT change on reissue
"exp": 1433131723 JWT Expiry timestamp, will change on reissue
16. OpenID Connect Based Single Logout
• Simple Logout (/pa/oidc/logout)
• Single Logout
• PF Config
• Track User Sessions for Logout (AS setting)
• Revoke User Session on Logout (Client Settings)
• PingAccess Logout Capable (Client Settings)
• https://<PF-BASE>/idp/startSLO.ping
Copyright © 2015 Cloud Identity Summit. All rights reserved. 16
17. PingAccess Scalability
• Stateless Engine Nodes
• Load balancing and fail over for protecting sites
• Simple Engine Node Deployment
• Token Mediation
Copyright © 2015 Cloud Identity Summit. All rights reserved. 17
18. Stateless Engine nodes
• How much?
• Temporary Token Cache
• (Optional) User Attributes
• Self-contained Session Token
• No State Sharing needed
• No Shared database needed
• Missing data is calculated or fetched from PF
Copyright © 2015 Cloud Identity Summit. All rights reserved. 18
19. Load balancing and fail over for sites
• Proxy deployment
• Load balance requests to multiple instances of target
site
• Fail over strategy for target sites
• (Coming soon) implement custom Load Balancing
strategies
Copyright © 2015 Cloud Identity Summit. All rights reserved. 19
20. Simple Engine Node Deployment
• Mostly environment setup
• Engine:
• Install JDK and PingAccess
• Modify one Line in run.properties
• Agent
• Install agent on web server of choice
• Create Agent/Engine config file from admin console,
copy to the target server.
Copyright © 2015 Cloud Identity Summit. All rights reserved. 20
21. Token Mediation
• Token Exchange Using WS-TRUST
• Server: PingFederate
• Input: PA Session Token
• Output: Tokens Supported by PF (WAM,
OpenToken, etc)
• Get a session token specific to a target site.
Copyright © 2015 Cloud Identity Summit. All rights reserved. 21
22. Copyright © 2015 Cloud Identity Summit. All rights reserved. 22
Thank you
Q&A