Hans Zandbelt, Ping Identity
Overview of the challenges we face when scaling up federation infrastructures, exploring possible ways to move forward and discussing protocols and concrete deployment architectures that allow for realizing Identity at Scale.
4. • No overarching trust model
– compare to SSL & Server Cert PKI
• No trust model, p2p
– No way forward to the IoT
• 3rd party provided trust is key
– compare to SSL CA
• Apply to / across:
– Web SSO and API Access
– mutual authentication
• Technical Trust vs. Behavioral Trust
Trust Model
Beyond Standards and Protocols
[1] http://shop.soundingboardink.com/shop/2011/01/18/an-operational-definition-of-trust/!
7. Trusted Shared Service
• Single/central/shared point of
connection management (trust)
• Trusted 3rd party
• From: user trust scale through
2nd party to SP/IDP trust
through 3rd-party
• Compares to TLS CA or
DNS(sec) root hierarchy
• Challenge: problem reduced in
size, shifted up one level
IDPSP
IDPSP
IDPSP
8. • Outsource metadata
management to a central
inband service
• Trust proxy only, relay to peers,
inhouse/outhouse
• MxN -> M+N connections
• Technical trust may be
combined with organizational
trust
• Accommodate for different
SAML implementations &
protocol translations
Solution 1: Proxy
IDPSP
IDPSP
IDPSP
Proxy
SPIDP
9. Metadata
• Outsource metadata
management to a central out-
of-band service
• aka. multi-party federation
• Higher Education & Research:
InCommon, UK Access
Federation, 50+
• Async technical trust (M+N)
• Sync direct peer-to-peer
communication (MxN)
• Metadata upload (!)
Solution 2: Metadata Service
IDPSP
IDPSP
IDPSP SAML
13. • Separate protocols for SSO and API
security
• Heavyweight - in payload and
processing
• Complex – develop and manage
• Manual trust bootstrapping and
certificate management* (it’s alive)
• SSO and API security in one
• Lightweight – mobile
• Simple – developer friendly
• Auto client registration and key
management
SAML and OpenID Connect
SAML OpenID Connect