Justin Richer, The MITRE Corporation
A report on MITRE’s MITREid platform, which allows thousands of active users to access hundreds of relying parties inside and outside the company; how and why we built MITREid and why we see the promotion of external identities as an important pattern for enterprise organizations.
13. Let’s
build
something
• OpenID
2.0
Server
• Running
on
corporate
IT
hardware
in
corporate
IT
environment
• Backed
by
corporate
SSO
and
user
profile
informa3on
• “We
do
SSO
so
you
don’t
have
to”
14. Why
OpenID?
• Open
standard
protocol
• Network-‐based
federa3on
• User-‐driven
trust
model
• Simple
to
use
and
develop
15. Make
it
easy
for
developers:
PlaXorm
support
• Libraries:
– Java
– PHP
– Python
– Javascript
– Ruby
– Perl
– …
• PlaXorms
&
Plugins:
– Spring
Security
– Elgg
– Wordpress
– Mediawiki
– Omniauth
– Drupal
– …
16. Usage
Profile:
The
prototype
Firewall
Intranet
Internet
OpenID Server
SSO
17. Usage
Profile:
The
external
service
Firewall
Intranet
Internet
OpenID Server
SSO
18. User
Profiles:
The
mobile
user
Firewall
Intranet
Internet
OpenID Server
2FA
19. The
architecture
Firewall
User Profiles
Shared
Database
Internal OP External OP
Intranet
Internet
Two-‐Factor
Authn
Corporate
SSO
37. Scalable
security
decisions
Whitelist
Trusted partners, business contracts, customer
organizations, trust frameworks
Graylist
User-based trust decisions
Follow Trust on First Use model, keep logs
Blacklist
Very bad sites we don’t
want to deal with, ever
Organiza3ons
decide
these
End-‐users
decide
these
38. Conclusions
• Use
open
standards
• Give
your
people
digital
iden33es
and
let
them
decide
where
to
use
them
• Use
federa3on
where
possible