SlideShare a Scribd company logo

CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian

CloudIDSummit
CloudIDSummit

Centralized session management has long been a goal of Web Access Management systems: the idea that one session can give end users access to dozens of protected applications with a seamless SSO experience, and terminating it (either by the end user themselves, or by an administrator) cuts off access instantly. It’s a nice dream isn’t it? Turns out that while most WAM products claim they can do this, when deployment time comes around (especially in globally distributed organizations) serious security and scalability challenges emerge that make it unfeasible. In this “session”, come and learn our vision for deploying session management at scale and see how Ping Identity has implemented it in our Federated Access Management solution.

Technology
1 of 22
Download to read offline
Session Management at Scale Scott Tomilson Jamshid (Jim) Khosravian
Copyright © 2015 Cloud Identity Summit. All rights reserved. 2 Session Management Web
•  Senior Software Developer at PingIdentity •  Software Technology Enthusiast •  Canadian Copyright © 2015 Cloud Identity Summit. All rights reserved. 3 Jamshid (Jim) Khosravian (Sorry that I say sorry so much)
Agenda •  PingAccess Session Management •  Session Initiation/Creation •  Session Token attributes •  Session Attributes and Timeouts •  Single Logout •  PingAccess Scalability •  Q&A Copyright © 2015 Cloud Identity Summit. All rights reserved. 4
Session Initiation •  PingAccess deployed in front of web apps (Proxy) •  PingAccess Agent installed on the webserver hosting web app (Agent) •  PingFederate and PingAccess interactions Copyright © 2015 Cloud Identity Summit. All rights reserved. 5
Proxy Copyright © 2015 Cloud Identity Summit. All rights reserved. 6 3 1 4 2 5 High-level Flow: 1) Resource requested 2) PA checks URL policy – it's a protected resource. No PA session. Redirect to PF to login user. 3) User login, PF session created / validated. 4) User redirected back to resource. PA session created. 5) PA session check – OK. 6) Request OK – forward to backend resource. 6
Agent Copyright © 2015 Cloud Identity Summit. All rights reserved. 7 3 1 4 2 High-level Flow: 1) Resource requested 2) PA agent forwards request to PA server 3) PA checks URL policy – it's a protected resource. No PA session. Creates Redirect to PF for Agent. Agent sends redirect back 4) User login, PF session created / validated. 5) User redirected back to resource. 6) PA agent forwards request to PA server 7) PA Checks PF Response – OK – Creates sessions – Send Response To Agent 8) PA response – OK – Access granted – Requested resource Served 6 75 8
Session Initiation Copyright © 2015 Cloud Identity Summit. All rights reserved. 8 •  "Varied" Session Management handled within IdP Adapters at time of authentication / SSO •  E.g.: •  HTML Form Adapter •  IWA •  WAM IK (Third-party tokens) •  Session tokens issued upon SSO & re-issued regularly to handle idle timeouts •  JWT format (signed or encrypted) •  Contain attributes required by protected apps & authn level •  Can be scoped per Application
Session Token •  JWT •  Signed (JWS) •  Encrypted (JWE) •  Content •  Session Attributes •  (Optional) User Attributes Copyright © 2015 Cloud Identity Summit. All rights reserved. 9
Session Token (cont’d) Copyright © 2015 Cloud Identity Summit. All rights reserved. 10 Received PF ID Token (Signed) PA Session Token (Signed) { "alg": "RS256", "kid": "gcs0e" }. { "sub": "joe", "aud": "PingAccessOIDC", "jti": "FfCzPyb74vu3va6RNjIBhC", "iss": "https://synapse.pingfederatelabs.com:9031", "iat": 1433128115, "exp": 1433128175, "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "nonce": "rhZvrAswWdztaPq-RQSqcSVAWdOiXkRTGeg6y_zVvW0", "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg" }. { Signature data } { "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "kid": "7", "alg": "ES256" }. { "sub": "joe”, "aud": "global", "jti": "5c68d4a7-357c-475d-8f01-02c0ddfc90ca", "iat": 1433128123, "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg", "iss": "PingAccess", "exp": 1433131723, "pingaccess_refresh_exp": 1433305544, "access_token": "9TwtEfi4fYnuQkDKUYnRivf8uHIN”, "phone_number": "+1 (425) 555-1212", "role": "sales", "address": { "street_address": "123 Main Street", "country": "USA", "formatted": "123 Main Street, Smallville, ME USA 11223", "locality": "Smallville", "region": "ME", "postal_code": "11223" } }. { Signature data }
Session Storage •  Client Side •  Session attributes and user attributes inside session cookie •  Server Side •  Session attributes inside session cookie •  User attributes stored on server Copyright © 2015 Cloud Identity Summit. All rights reserved. 11
Session Storage (cont’d) Copyright © 2015 Cloud Identity Summit. All rights reserved. 12 Session Token (Server) Session Token (Client) { "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "kid": "7", "alg": "ES256" }. { "sub": "joe”, "aud": "global", "jti": "5c68d4a7-357c-475d-8f01-02c0ddfc90ca", "iat": 1433128123, "updated_time": "2011-01-03T23:58:42+0000", "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg", "iss": "PingAccess", "exp": 1433131723, "access_token": "9TwtEfi4fYnuQkDKUYnRivf8uHIN” }. { Signature data } { "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "kid": "7", "alg": "ES256" }. { "sub": "joe”, "aud": "global", "jti": "5c68d4a7-357c-475d-8f01-02c0ddfc90ca", "iat": 1433128123, "updated_time": "2011-01-03T23:58:42+0000", "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg", "iss": "PingAccess", "exp": 1433131723, "access_token": "9TwtEfi4fYnuQkDKUYnRivf8uHIN”, "pingac`cess_refresh_exp": 1433305544, "phone_number": "+1 (425) 555-1212", "role": "sales", "address": { "street_address": "123 Main Street", "country": "USA", "formatted": "123 Main Street, Smallville, ME USA 11223", "locality": "Smallville", "postal_code": "11223" } }. { Signature data }
Session Status check and refresh •  Going back a couple of days … WHAT IF … Copyright © 2015 Cloud Identity Summit. All rights reserved. 13 WHAT IF THE RIGHT IDENTITY BECOMES A BAD ACTOR? WHAT IF IDENTITY IS TOO WEAK & TOO DISCONNECTED TO PROTECT US AT SCALE?
Session Status check and refresh •  PingFederate Session Reference ID validation •  pi.sri session attribute •  PingFederate Session State Cache (seconds) •  PingAccess User Attribute Refresh •  pingaccess_refresh_exp •  Refresh User Attributes Interval (seconds) Copyright © 2015 Cloud Identity Summit. All rights reserved. 14
Session Timeout •  Idle Timeout (Minutes) default 60 minutes •  Max Timeout (Minutes) default 240 minutes Copyright © 2015 Cloud Identity Summit. All rights reserved. 15 JWT Attribute Description "iat": 1433128123 JWT Creation timestamp, will NOT change on reissue "exp": 1433131723 JWT Expiry timestamp, will change on reissue
OpenID Connect Based Single Logout •  Simple Logout (/pa/oidc/logout) •  Single Logout •  PF Config •  Track User Sessions for Logout (AS setting) •  Revoke User Session on Logout (Client Settings) •  PingAccess Logout Capable (Client Settings) •  https://<PF-BASE>/idp/startSLO.ping Copyright © 2015 Cloud Identity Summit. All rights reserved. 16
PingAccess Scalability •  Stateless Engine Nodes •  Load balancing and fail over for protecting sites •  Simple Engine Node Deployment •  Token Mediation Copyright © 2015 Cloud Identity Summit. All rights reserved. 17
Stateless Engine nodes •  How much? •  Temporary Token Cache •  (Optional) User Attributes •  Self-contained Session Token •  No State Sharing needed •  No Shared database needed •  Missing data is calculated or fetched from PF Copyright © 2015 Cloud Identity Summit. All rights reserved. 18
Load balancing and fail over for sites •  Proxy deployment •  Load balance requests to multiple instances of target site •  Fail over strategy for target sites •  (Coming soon) implement custom Load Balancing strategies Copyright © 2015 Cloud Identity Summit. All rights reserved. 19
Simple Engine Node Deployment •  Mostly environment setup •  Engine: •  Install JDK and PingAccess •  Modify one Line in run.properties •  Agent •  Install agent on web server of choice •  Create Agent/Engine config file from admin console, copy to the target server. Copyright © 2015 Cloud Identity Summit. All rights reserved. 20
Token Mediation •  Token Exchange Using WS-TRUST •  Server: PingFederate •  Input: PA Session Token •  Output: Tokens Supported by PF (WAM, OpenToken, etc) •  Get a session token specific to a target site. Copyright © 2015 Cloud Identity Summit. All rights reserved. 21
Copyright © 2015 Cloud Identity Summit. All rights reserved. 22 Thank you Q&A

Recommended

CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CloudIDSummit
 
PingOne IDaaS: What You Need to Know
PingOne IDaaS: What You Need to KnowPingOne IDaaS: What You Need to Know
PingOne IDaaS: What You Need to Know
CloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
CloudIDSummit
 
CIS14: PingAccess in Action
CIS14: PingAccess in ActionCIS14: PingAccess in Action
CIS14: PingAccess in Action
CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CloudIDSummit
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
CA Technologies
 
Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloud
Maarten Balliauw
 

Recommended

CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CloudIDSummit
 
PingOne IDaaS: What You Need to Know
PingOne IDaaS: What You Need to KnowPingOne IDaaS: What You Need to Know
PingOne IDaaS: What You Need to Know
CloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
CloudIDSummit
 
CIS14: PingAccess in Action
CIS14: PingAccess in ActionCIS14: PingAccess in Action
CIS14: PingAccess in Action
CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CloudIDSummit
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
CA Technologies
 
Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloud
Maarten Balliauw
 
Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot
Stormpath
 
Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Spring Boot Authentication...and More!
Spring Boot Authentication...and More!
Stormpath
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
Apigee | Google Cloud
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2
Stormpath
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
WSO2
 
CIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST APICIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST API
CloudIDSummit
 
WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem
WSO2Con ASIA 2016: Case Study: Identity in the WSO2 EcosystemWSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem
WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem
WSO2
 
Azure security guidelines for developers
Azure security guidelines for developers Azure security guidelines for developers
Azure security guidelines for developers
Ivo Andreev
 
Stormpath 101: Spring Boot + Spring Security
Stormpath 101: Spring Boot + Spring SecurityStormpath 101: Spring Boot + Spring Security
Stormpath 101: Spring Boot + Spring Security
Stormpath
 
CA Security - Deloitte IAM Summit - Vasu
CA Security - Deloitte IAM Summit - VasuCA Security - Deloitte IAM Summit - Vasu
CA Security - Deloitte IAM Summit - Vasu
Vasu Surabhi
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
Stormpath
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIs
CloudIDSummit
 
JWTs for CSRF and Microservices
JWTs for CSRF and MicroservicesJWTs for CSRF and Microservices
JWTs for CSRF and Microservices
Stormpath
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
John Bauer
 
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101
Stormpath
 
CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
CloudIDSummit
 
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
Chris Gillum
 
Red Hat Summit - OpenShift Identity Management and Compliance
Red Hat Summit - OpenShift Identity Management and ComplianceRed Hat Summit - OpenShift Identity Management and Compliance
Red Hat Summit - OpenShift Identity Management and Compliance
Marc Boorshtein
 
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIsWSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2
 
CIS 2015 SCIM in the Real World - Kelly Grizzle
CIS 2015 SCIM in the Real World - Kelly GrizzleCIS 2015 SCIM in the Real World - Kelly Grizzle
CIS 2015 SCIM in the Real World - Kelly Grizzle
CloudIDSummit
 
Arputer overview 3413
Arputer overview 3413Arputer overview 3413
Arputer overview 3413
arputer
 

More Related Content

What's hot

Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot
Stormpath
 
Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Spring Boot Authentication...and More!
Spring Boot Authentication...and More!
Stormpath
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
WSO2
 
WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem
WSO2Con ASIA 2016: Case Study: Identity in the WSO2 EcosystemWSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem
WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem
WSO2
 
CA Security - Deloitte IAM Summit - Vasu
CA Security - Deloitte IAM Summit - VasuCA Security - Deloitte IAM Summit - Vasu
CA Security - Deloitte IAM Summit - Vasu
Vasu Surabhi
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
Stormpath
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
John Bauer
 
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIsWSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2
 

What's hot (20)

Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot Multi-Tenancy with Spring Boot
Multi-Tenancy with Spring Boot
 
Spring Boot Authentication...and More!
Spring Boot Authentication...and More! Spring Boot Authentication...and More!
Spring Boot Authentication...and More!
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
CIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST APICIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST API
 
WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem
WSO2Con ASIA 2016: Case Study: Identity in the WSO2 EcosystemWSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem
WSO2Con ASIA 2016: Case Study: Identity in the WSO2 Ecosystem
 
Azure security guidelines for developers
Azure security guidelines for developers Azure security guidelines for developers
Azure security guidelines for developers
 
Stormpath 101: Spring Boot + Spring Security
Stormpath 101: Spring Boot + Spring SecurityStormpath 101: Spring Boot + Spring Security
Stormpath 101: Spring Boot + Spring Security
 
CA Security - Deloitte IAM Summit - Vasu
CA Security - Deloitte IAM Summit - VasuCA Security - Deloitte IAM Summit - Vasu
CA Security - Deloitte IAM Summit - Vasu
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIs
 
JWTs for CSRF and Microservices
JWTs for CSRF and MicroservicesJWTs for CSRF and Microservices
JWTs for CSRF and Microservices
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
 
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101
 
CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
 
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
 
Red Hat Summit - OpenShift Identity Management and Compliance
Red Hat Summit - OpenShift Identity Management and ComplianceRed Hat Summit - OpenShift Identity Management and Compliance
Red Hat Summit - OpenShift Identity Management and Compliance
 
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIsWSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
 

Viewers also liked

CIS 2015-Lessons In Access Management - supporting cloud and mobile with a co...
CIS 2015-Lessons In Access Management - supporting cloud and mobile with a co...CIS 2015-Lessons In Access Management - supporting cloud and mobile with a co...
CIS 2015-Lessons In Access Management - supporting cloud and mobile with a co...
CloudIDSummit
 
CIS 2015- Assessing the Risk of Identity and Access- Venkat Rajaji
CIS 2015- Assessing the Risk of Identity and Access- Venkat RajajiCIS 2015- Assessing the Risk of Identity and Access- Venkat Rajaji
CIS 2015- Assessing the Risk of Identity and Access- Venkat Rajaji
CloudIDSummit
 
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul MadsenCIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
CloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 

Viewers also liked (11)

CIS 2015 SCIM in the Real World - Kelly Grizzle
CIS 2015 SCIM in the Real World - Kelly GrizzleCIS 2015 SCIM in the Real World - Kelly Grizzle
CIS 2015 SCIM in the Real World - Kelly Grizzle
 
Arputer overview 3413
Arputer overview 3413Arputer overview 3413
Arputer overview 3413
 
CIS 2015- User-Authorized Discovery- George Fletcher
CIS 2015- User-Authorized Discovery- George FletcherCIS 2015- User-Authorized Discovery- George Fletcher
CIS 2015- User-Authorized Discovery- George Fletcher
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
 
CIS 2015-Lessons Learned in the First Year of an IAM Program- Matt Chambers
CIS 2015-Lessons Learned in the First Year of an IAM Program- Matt ChambersCIS 2015-Lessons Learned in the First Year of an IAM Program- Matt Chambers
CIS 2015-Lessons Learned in the First Year of an IAM Program- Matt Chambers
 
CIS 2015-Lessons In Access Management - supporting cloud and mobile with a co...
CIS 2015-Lessons In Access Management - supporting cloud and mobile with a co...CIS 2015-Lessons In Access Management - supporting cloud and mobile with a co...
CIS 2015-Lessons In Access Management - supporting cloud and mobile with a co...
 
What Happens When Republicans Restrict Abortion Access
What Happens When Republicans Restrict Abortion Access What Happens When Republicans Restrict Abortion Access
What Happens When Republicans Restrict Abortion Access
 
CIS 2015- Assessing the Risk of Identity and Access- Venkat Rajaji
CIS 2015- Assessing the Risk of Identity and Access- Venkat RajajiCIS 2015- Assessing the Risk of Identity and Access- Venkat Rajaji
CIS 2015- Assessing the Risk of Identity and Access- Venkat Rajaji
 
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul MadsenCIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
CIS 2015 Modernize IAM with UnboundID and Ping Identity - Terry Sigle & B. Al...
CIS 2015 Modernize IAM with UnboundID and Ping Identity - Terry Sigle & B. Al...CIS 2015 Modernize IAM with UnboundID and Ping Identity - Terry Sigle & B. Al...
CIS 2015 Modernize IAM with UnboundID and Ping Identity - Terry Sigle & B. Al...
 

Similar to CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian

CIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans ZandbeltCIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans Zandbelt
CloudIDSummit
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
ForgeRock
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
J.D. Wade
 
Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...
Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...
Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...
Amazon Web Services
 
Apic dc api deep dive
Apic dc api deep dive Apic dc api deep dive
Apic dc api deep dive
Cisco DevNet
 

Similar to CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian (20)

Customer Scale: Stateless Sessions and Managing High-Volume Digital Services
Customer Scale: Stateless Sessions and Managing High-Volume Digital ServicesCustomer Scale: Stateless Sessions and Managing High-Volume Digital Services
Customer Scale: Stateless Sessions and Managing High-Volume Digital Services
 
Identity Summit UK: STATELESS SESSIONS AND MANAGING HIGH-VOLUME DIGITAL SERVICES
Identity Summit UK: STATELESS SESSIONS AND MANAGING HIGH-VOLUME DIGITAL SERVICESIdentity Summit UK: STATELESS SESSIONS AND MANAGING HIGH-VOLUME DIGITAL SERVICES
Identity Summit UK: STATELESS SESSIONS AND MANAGING HIGH-VOLUME DIGITAL SERVICES
 
CIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans ZandbeltCIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans Zandbelt
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...
Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...
Transforming Consumer Banking with a 100% Cloud-Based Bank (FSV204) - AWS re:...
 
Webinar: Customer Scale
Webinar: Customer ScaleWebinar: Customer Scale
Webinar: Customer Scale
 
Internet of Things and Edge Compute at Chick-fil-A
Internet of Things and Edge Compute at Chick-fil-AInternet of Things and Edge Compute at Chick-fil-A
Internet of Things and Edge Compute at Chick-fil-A
 
IBM Licensing: Technical fundamentals for discovery
IBM Licensing: Technical fundamentals for discoveryIBM Licensing: Technical fundamentals for discovery
IBM Licensing: Technical fundamentals for discovery
 
Online Meetup - MuleSoft - June 2020
Online Meetup - MuleSoft - June 2020 Online Meetup - MuleSoft - June 2020
Online Meetup - MuleSoft - June 2020
 
Apic dc api deep dive
Apic dc api deep dive Apic dc api deep dive
Apic dc api deep dive
 
Security Architecture Consulting - Hiren Shah
Security Architecture Consulting - Hiren ShahSecurity Architecture Consulting - Hiren Shah
Security Architecture Consulting - Hiren Shah
 
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group UpdateOIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update
 
APIs, STOP Polling, lets go Streaming
APIs, STOP Polling, lets go StreamingAPIs, STOP Polling, lets go Streaming
APIs, STOP Polling, lets go Streaming
 

More from CloudIDSummit

CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CloudIDSummit
 
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian JaffeCIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CloudIDSummit
 

More from CloudIDSummit (20)

Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
 
CIS 2015 The Ethics of Personal Data - Robin Wilton
CIS 2015 The Ethics of Personal Data - Robin WiltonCIS 2015 The Ethics of Personal Data - Robin Wilton
CIS 2015 The Ethics of Personal Data - Robin Wilton
 
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David Chase
 
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn FayCIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
 
DIRECTORY CIS 2015 - Eric Fazendin
DIRECTORY CIS 2015 - Eric FazendinDIRECTORY CIS 2015 - Eric Fazendin
DIRECTORY CIS 2015 - Eric Fazendin
 
CIS 2015 Multi-factor for All, the Easy Way - Ran Ne'man
CIS 2015 Multi-factor for All, the Easy Way - Ran Ne'manCIS 2015 Multi-factor for All, the Easy Way - Ran Ne'man
CIS 2015 Multi-factor for All, the Easy Way - Ran Ne'man
 
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian JaffeCIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
 
CIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George FletcherCIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George Fletcher
 

Recently uploaded

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Recently uploaded (20)

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 

CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian

  • 1. Session Management at Scale Scott Tomilson Jamshid (Jim) Khosravian
  • 2. Copyright © 2015 Cloud Identity Summit. All rights reserved. 2 Session Management Web
  • 3. •  Senior Software Developer at PingIdentity •  Software Technology Enthusiast •  Canadian Copyright © 2015 Cloud Identity Summit. All rights reserved. 3 Jamshid (Jim) Khosravian (Sorry that I say sorry so much)
  • 4. Agenda •  PingAccess Session Management •  Session Initiation/Creation •  Session Token attributes •  Session Attributes and Timeouts •  Single Logout •  PingAccess Scalability •  Q&A Copyright © 2015 Cloud Identity Summit. All rights reserved. 4
  • 5. Session Initiation •  PingAccess deployed in front of web apps (Proxy) •  PingAccess Agent installed on the webserver hosting web app (Agent) •  PingFederate and PingAccess interactions Copyright © 2015 Cloud Identity Summit. All rights reserved. 5
  • 6. Proxy Copyright © 2015 Cloud Identity Summit. All rights reserved. 6 3 1 4 2 5 High-level Flow: 1) Resource requested 2) PA checks URL policy – it's a protected resource. No PA session. Redirect to PF to login user. 3) User login, PF session created / validated. 4) User redirected back to resource. PA session created. 5) PA session check – OK. 6) Request OK – forward to backend resource. 6
  • 7. Agent Copyright © 2015 Cloud Identity Summit. All rights reserved. 7 3 1 4 2 High-level Flow: 1) Resource requested 2) PA agent forwards request to PA server 3) PA checks URL policy – it's a protected resource. No PA session. Creates Redirect to PF for Agent. Agent sends redirect back 4) User login, PF session created / validated. 5) User redirected back to resource. 6) PA agent forwards request to PA server 7) PA Checks PF Response – OK – Creates sessions – Send Response To Agent 8) PA response – OK – Access granted – Requested resource Served 6 75 8
  • 8. Session Initiation Copyright © 2015 Cloud Identity Summit. All rights reserved. 8 •  "Varied" Session Management handled within IdP Adapters at time of authentication / SSO •  E.g.: •  HTML Form Adapter •  IWA •  WAM IK (Third-party tokens) •  Session tokens issued upon SSO & re-issued regularly to handle idle timeouts •  JWT format (signed or encrypted) •  Contain attributes required by protected apps & authn level •  Can be scoped per Application
  • 9. Session Token •  JWT •  Signed (JWS) •  Encrypted (JWE) •  Content •  Session Attributes •  (Optional) User Attributes Copyright © 2015 Cloud Identity Summit. All rights reserved. 9
  • 10. Session Token (cont’d) Copyright © 2015 Cloud Identity Summit. All rights reserved. 10 Received PF ID Token (Signed) PA Session Token (Signed) { "alg": "RS256", "kid": "gcs0e" }. { "sub": "joe", "aud": "PingAccessOIDC", "jti": "FfCzPyb74vu3va6RNjIBhC", "iss": "https://synapse.pingfederatelabs.com:9031", "iat": 1433128115, "exp": 1433128175, "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "nonce": "rhZvrAswWdztaPq-RQSqcSVAWdOiXkRTGeg6y_zVvW0", "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg" }. { Signature data } { "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "kid": "7", "alg": "ES256" }. { "sub": "joe”, "aud": "global", "jti": "5c68d4a7-357c-475d-8f01-02c0ddfc90ca", "iat": 1433128123, "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg", "iss": "PingAccess", "exp": 1433131723, "pingaccess_refresh_exp": 1433305544, "access_token": "9TwtEfi4fYnuQkDKUYnRivf8uHIN”, "phone_number": "+1 (425) 555-1212", "role": "sales", "address": { "street_address": "123 Main Street", "country": "USA", "formatted": "123 Main Street, Smallville, ME USA 11223", "locality": "Smallville", "region": "ME", "postal_code": "11223" } }. { Signature data }
  • 11. Session Storage •  Client Side •  Session attributes and user attributes inside session cookie •  Server Side •  Session attributes inside session cookie •  User attributes stored on server Copyright © 2015 Cloud Identity Summit. All rights reserved. 11
  • 12. Session Storage (cont’d) Copyright © 2015 Cloud Identity Summit. All rights reserved. 12 Session Token (Server) Session Token (Client) { "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "kid": "7", "alg": "ES256" }. { "sub": "joe”, "aud": "global", "jti": "5c68d4a7-357c-475d-8f01-02c0ddfc90ca", "iat": 1433128123, "updated_time": "2011-01-03T23:58:42+0000", "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg", "iss": "PingAccess", "exp": 1433131723, "access_token": "9TwtEfi4fYnuQkDKUYnRivf8uHIN” }. { Signature data } { "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "kid": "7", "alg": "ES256" }. { "sub": "joe”, "aud": "global", "jti": "5c68d4a7-357c-475d-8f01-02c0ddfc90ca", "iat": 1433128123, "updated_time": "2011-01-03T23:58:42+0000", "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg", "iss": "PingAccess", "exp": 1433131723, "access_token": "9TwtEfi4fYnuQkDKUYnRivf8uHIN”, "pingac`cess_refresh_exp": 1433305544, "phone_number": "+1 (425) 555-1212", "role": "sales", "address": { "street_address": "123 Main Street", "country": "USA", "formatted": "123 Main Street, Smallville, ME USA 11223", "locality": "Smallville", "postal_code": "11223" } }. { Signature data }
  • 13. Session Status check and refresh •  Going back a couple of days … WHAT IF … Copyright © 2015 Cloud Identity Summit. All rights reserved. 13 WHAT IF THE RIGHT IDENTITY BECOMES A BAD ACTOR? WHAT IF IDENTITY IS TOO WEAK & TOO DISCONNECTED TO PROTECT US AT SCALE?
  • 14. Session Status check and refresh •  PingFederate Session Reference ID validation •  pi.sri session attribute •  PingFederate Session State Cache (seconds) •  PingAccess User Attribute Refresh •  pingaccess_refresh_exp •  Refresh User Attributes Interval (seconds) Copyright © 2015 Cloud Identity Summit. All rights reserved. 14
  • 15. Session Timeout •  Idle Timeout (Minutes) default 60 minutes •  Max Timeout (Minutes) default 240 minutes Copyright © 2015 Cloud Identity Summit. All rights reserved. 15 JWT Attribute Description "iat": 1433128123 JWT Creation timestamp, will NOT change on reissue "exp": 1433131723 JWT Expiry timestamp, will change on reissue
  • 16. OpenID Connect Based Single Logout •  Simple Logout (/pa/oidc/logout) •  Single Logout •  PF Config •  Track User Sessions for Logout (AS setting) •  Revoke User Session on Logout (Client Settings) •  PingAccess Logout Capable (Client Settings) •  https://<PF-BASE>/idp/startSLO.ping Copyright © 2015 Cloud Identity Summit. All rights reserved. 16
  • 17. PingAccess Scalability •  Stateless Engine Nodes •  Load balancing and fail over for protecting sites •  Simple Engine Node Deployment •  Token Mediation Copyright © 2015 Cloud Identity Summit. All rights reserved. 17
  • 18. Stateless Engine nodes •  How much? •  Temporary Token Cache •  (Optional) User Attributes •  Self-contained Session Token •  No State Sharing needed •  No Shared database needed •  Missing data is calculated or fetched from PF Copyright © 2015 Cloud Identity Summit. All rights reserved. 18
  • 19. Load balancing and fail over for sites •  Proxy deployment •  Load balance requests to multiple instances of target site •  Fail over strategy for target sites •  (Coming soon) implement custom Load Balancing strategies Copyright © 2015 Cloud Identity Summit. All rights reserved. 19
  • 20. Simple Engine Node Deployment •  Mostly environment setup •  Engine: •  Install JDK and PingAccess •  Modify one Line in run.properties •  Agent •  Install agent on web server of choice •  Create Agent/Engine config file from admin console, copy to the target server. Copyright © 2015 Cloud Identity Summit. All rights reserved. 20
  • 21. Token Mediation •  Token Exchange Using WS-TRUST •  Server: PingFederate •  Input: PA Session Token •  Output: Tokens Supported by PF (WAM, OpenToken, etc) •  Get a session token specific to a target site. Copyright © 2015 Cloud Identity Summit. All rights reserved. 21
  • 22. Copyright © 2015 Cloud Identity Summit. All rights reserved. 22 Thank you Q&A