Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Warm Up to    Identity Protocol Soup            David Waite    Principal Technical Architect1                       Copyri...
Topics     •What is Digital Identity?     •What are the different      technologies?     •How are they useful?     •Where ...
Digital Identity3                Copyright ©2012 Ping Identity Corporation. All rights reserved.
Concepts     • Authentication / Authenticity      –Is this entity (person/machine) who they say4                          ...
Concepts     • Attributes / Identity Information       –My name is David Waite       –I work for Ping Identity       –I’ve...
Introductions     • Ping Identity       –Focused on Identity standards       –Enterprise and Consumer-oriented solutions  ...
Concepts     • Authorization      –What are the rules on who can do what     • Access Control      –Enforces whether you c...
Concepts     • The bundle of credentials, identifiers and       attributes makes up the traditional idea of       an “Acco...
SAML / In the Beginning9                  Copyright ©2012 Ping Identity Corporation. All rights reserved.
Simple App              Application        DB         Login                          Content10                          Co...
Less Simple App                   Application                        Login                             Content        DB  ...
Uh-Oh          Application                Application               Login       Content              Login                ...
Reality (Simplified)                         Application                 Application                              Login   ...
Supportability Issues     • Multiple accounts     • Different usernames and passwords     • Varying support / recovery pro...
Security Issues     • Users may retain access to systems     • Duplicated passwords and user info     • Lack of auditing  ...
Architectural impact     • Decomposing applications is hard     • Difficult to mash up APIs      –Data Silos     • Code fo...
Solution?     • Identity and Access Management      –Infrastructure shared by apps      –Centralized resources and managem...
Identity and Access Management     • Single Authentication Mechanism      –Transport: Client X.509, Kerberos      –Domain ...
Identity and Access Management     • Central Authorization Policy     • Set policy at HTTP resource level     • Responsibl...
Drawbacks     • Time/TCO to retrofit existing apps     • High cost of infrastructure upgrades     • M&A often be a nightma...
Failings     •Not always possible to support      –COTS software      –3rd Party / Hosted software21                      ...
SAML22          Copyright ©2012 Ping Identity Corporation. All rights reserved.
SAML     • Security Assertion Markup Language     • 1.0 in November 2002     • 2.0 in March 2005        “Securely Assert I...
SAML Roles     • “Identity Provider” (IDP)      –provides identity information     • “Service Provider” (SP)      –consume...
SAML Pieces     • Assertion      –XML document      –a signed and/or encrypted      –containing identity information25    ...
SAML Parts     • Protocol - messages built on assertions     • Binding - sending protocol over the wire     • Profile - co...
SAML Web SSO     • Most popular profile is       Web Browser Single Sign-On Profile     • Use browser as a communication  ...
SAML Web SSO      Bridges Accounts for the     different Security Domains28                   Copyright ©2012 Ping Identit...
SAML Used by     • Web Browser SSO Profile     • WS-* (as token)     • WS-Federation (as token)     • OAuth 2 (as authenti...
OpenID30            Copyright ©2012 Ping Identity Corporation. All rights reserved.
OpenID     • Created by Brad Fitzpatrick in 2005     • Came out of blogging space      –Don’t want to manage accounts just...
OpenID     • Your “username” is a URL     • Your login proves ownership     • Your identity/persona is that URL32         ...
OpenID - How it works     • Relying Party      –Similar role to SP, requests/relies on OpenID     • OpenID Provider      –...
OpenID - How it works     1.User enters OpenID or selects OP at      Relying Party*     2.RP figures out appropriate OP   ...
Advantages     • User-Centric Identity      –user maintains control      –determines who sees what     • Can run infrastru...
Disadvantages     • Users do not understand URLs     • Hidden complexity in implementing     • Interoperability is poor   ...
Recommendation     • Support specific partners/software     • Choose a mature product or library     • Hide OpenID from us...
OAuth 1 and 238             Copyright ©2012 Ping Identity Corporation. All rights reserved.
OAuth     • Negotiate/Represent Authorization       for Apps     • Per-user      –Delegation of user access      –User par...
The Old Model*40                Copyright ©2012 Ping Identity Corporation. All rights reserved.
The Old Model*41                Copyright ©2012 Ping Identity Corporation. All rights reserved.
OAuth 1     • Created in 2007     • 2-legged      –Server to Server     • 3-legged      –User authorization42             ...
OAuth 1 Flow     • User selects to add/authorize third party     • App sends user to third party site     • User authentic...
OAuth Benefits     • App access is limited     • App behaviors are auditable     • User makes their own policy decisions  ...
OAuth 2     • Removes complex signature requirement      –Must use SSL      –Resource access is simple     • Separate role...
OAuth 1 vs 2     • OAuth 1 is very pragmatic      –Hits two use cases      –Details them thoroughly with examples     • OA...
OAuth vs Web SSO      OAuth is for authorization, not             authentication     • Web SSO lets you know who the user ...
OAuth vs Web SSO     • OAuth does not give you      –User attributes      –Confirmation (that the user is present)      –A...
OpenID Connect49             Copyright ©2012 Ping Identity Corporation. All rights reserved.
OpenID Connect     • In-process specification building on top       of OAuth 2     • Adds first-class identity information...
OpenID Connect     • New “ID Token”     • Normal Access token is for the       resource, about the client application     ...
OpenID Connect     • Defines UserInfo service      –To get user attributes in a standard manner     • Has Simple discovery...
OpenID Connect     OpenID Connect provides a single     way to securely support both Web     SSO, and API access by native...
Closing54             Copyright ©2012 Ping Identity Corporation. All rights reserved.
Closing     • Digital Identity is a broad topic       representing the user authentication,       attributes, and authoriz...
Closing     • Web SSO is a way to bridge the gap in       security domains      –SAML - Security Assertion Markup Language...
Closing     • For native clients, the browser flow of Web       SSO is not appropriate     • SOAP services have WS-*      ...
Closing     • Going forward, OpenID Connect       bridges Web SSO and API access.     • Supports authentication and       ...
Questions?                                                                                                http://www.flick...
Questions?     • Visit www.pingidentity.com or www.pingone.com       for more information     • Email sales@pingidentity.c...
Prochain SlideShare
Chargement dans…5
×

Identity soup

735 vues

Publié le

When it comes to identity and access management (IAM) for your application, it's good to warm-up with a good cup of identity protocol soup. Key ingredients include SAML, OAuth, OpenID and OpenID Connect. In this session, learn how developers create world-class private and public applications that are secure, mobile and can be easily provisioned -- all leveraging these standards-based protocols.

  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Identity soup

  1. 1. Warm Up to Identity Protocol Soup David Waite Principal Technical Architect1 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  2. 2. Topics •What is Digital Identity? •What are the different technologies? •How are they useful? •Where is this space going?2 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  3. 3. Digital Identity3 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  4. 4. Concepts • Authentication / Authenticity –Is this entity (person/machine) who they say4 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  5. 5. Concepts • Attributes / Identity Information –My name is David Waite –I work for Ping Identity –I’ve been in the Identity Space for 10 years –My email address is dwaite@pingidentity.com5 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  6. 6. Introductions • Ping Identity –Focused on Identity standards –Enterprise and Consumer-oriented solutions –On-site software (PingFederate) –Identity as a Service offerings (PingOne)6 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  7. 7. Concepts • Authorization –What are the rules on who can do what • Access Control –Enforces whether you can or can’t do something7 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  8. 8. Concepts • The bundle of credentials, identifiers and attributes makes up the traditional idea of an “Account” • The services which work by the same system of accounts and authorization make up a “Security Domain”8 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  9. 9. SAML / In the Beginning9 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  10. 10. Simple App Application DB Login Content10 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  11. 11. Less Simple App Application Login Content DB Self- Password Registration Recovery11 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  12. 12. Uh-Oh Application Application Login Content Login Content DB Self- Self- Password Registration Registration Recovery12 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  13. 13. Reality (Simplified) Application Application Login Content Login Content Self- Self- Password Registration Registration Recovery DB Application Application DB DB Login Content Login Content Self- Password Self- Registration Recovery Registration13 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  14. 14. Supportability Issues • Multiple accounts • Different usernames and passwords • Varying support / recovery processes • Hard to change Authorization policy • Provisioning users is error-prone14 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  15. 15. Security Issues • Users may retain access to systems • Duplicated passwords and user info • Lack of auditing • Home-grown auth may be insecure • Difficult to switch to multi-factor15 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  16. 16. Architectural impact • Decomposing applications is hard • Difficult to mash up APIs –Data Silos • Code for authz policy changes • Rebuilding same components16 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  17. 17. Solution? • Identity and Access Management –Infrastructure shared by apps –Centralized resources and management • Examples: –Use LDAP for account attributes –Create groups representing authorizations rather than departments17 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  18. 18. Identity and Access Management • Single Authentication Mechanism –Transport: Client X.509, Kerberos –Domain cookie w/App Server Plugin –Authenticating Proxy in front of apps18 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  19. 19. Identity and Access Management • Central Authorization Policy • Set policy at HTTP resource level • Responsible for Access Control at resource level19 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  20. 20. Drawbacks • Time/TCO to retrofit existing apps • High cost of infrastructure upgrades • M&A often be a nightmare • There are no standards –huge amount of vendor lock-in.20 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  21. 21. Failings •Not always possible to support –COTS software –3rd Party / Hosted software21 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  22. 22. SAML22 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  23. 23. SAML • Security Assertion Markup Language • 1.0 in November 2002 • 2.0 in March 2005 “Securely Assert Identity Information”23 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  24. 24. SAML Roles • “Identity Provider” (IDP) –provides identity information • “Service Provider” (SP) –consumes identity information –provides access to services24 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  25. 25. SAML Pieces • Assertion –XML document –a signed and/or encrypted –containing identity information25 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  26. 26. SAML Parts • Protocol - messages built on assertions • Binding - sending protocol over the wire • Profile - combination to accomplish some use case26 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  27. 27. SAML Web SSO • Most popular profile is Web Browser Single Sign-On Profile • Use browser as a communication channel • Authenticates browser that delivers the message27 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  28. 28. SAML Web SSO Bridges Accounts for the different Security Domains28 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  29. 29. SAML Used by • Web Browser SSO Profile • WS-* (as token) • WS-Federation (as token) • OAuth 2 (as authentication mechanism)29 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  30. 30. OpenID30 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  31. 31. OpenID • Created by Brad Fitzpatrick in 2005 • Came out of blogging space –Don’t want to manage accounts just to let people comment on blog posts • Initially for Lower Assurance • Dynamically Managed relationships31 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  32. 32. OpenID • Your “username” is a URL • Your login proves ownership • Your identity/persona is that URL32 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  33. 33. OpenID - How it works • Relying Party –Similar role to SP, requests/relies on OpenID • OpenID Provider –Similar role to IDP, authenticates users33 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  34. 34. OpenID - How it works 1.User enters OpenID or selects OP at Relying Party* 2.RP figures out appropriate OP 3.Sends browser to OP so the user can prove who they are 4.OP sends authenticated user back to RP34 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  35. 35. Advantages • User-Centric Identity –user maintains control –determines who sees what • Can run infrastructure without coordination35 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  36. 36. Disadvantages • Users do not understand URLs • Hidden complexity in implementing • Interoperability is poor • Many sites are non-compliant • Some sites require extensions36 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  37. 37. Recommendation • Support specific partners/software • Choose a mature product or library • Hide OpenID from user –Use a NASCAR page37 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  38. 38. OAuth 1 and 238 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  39. 39. OAuth • Negotiate/Represent Authorization for Apps • Per-user –Delegation of user access –User participation in authorization policy39 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  40. 40. The Old Model*40 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  41. 41. The Old Model*41 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  42. 42. OAuth 1 • Created in 2007 • 2-legged –Server to Server • 3-legged –User authorization42 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  43. 43. OAuth 1 Flow • User selects to add/authorize third party • App sends user to third party site • User authenticates with site if needed, indicates what the app is authorized for • User is sent back to App with token43 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  44. 44. OAuth Benefits • App access is limited • App behaviors are auditable • User makes their own policy decisions • Users can revoke access to their data44 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  45. 45. OAuth 2 • Removes complex signature requirement –Must use SSL –Resource access is simple • Separate roles for resource protected, authorization service • Adds new flows for new native client use45 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  46. 46. OAuth 1 vs 2 • OAuth 1 is very pragmatic –Hits two use cases –Details them thoroughly with examples • OAuth 2 is broad, extensible –Pieces used to solve particular problem • Do not recommend OAuth 1 for new projects46 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  47. 47. OAuth vs Web SSO OAuth is for authorization, not authentication • Web SSO lets you know who the user is • OAuth is permission to act for the user • NOT a replacement for Web SSO47 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  48. 48. OAuth vs Web SSO • OAuth does not give you –User attributes –Confirmation (that the user is present) –Audience (this token was meant for you)48 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  49. 49. OpenID Connect49 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  50. 50. OpenID Connect • In-process specification building on top of OAuth 2 • Adds first-class identity information to protocol • Supports additional use cases –(hybrid client)50 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  51. 51. OpenID Connect • New “ID Token” • Normal Access token is for the resource, about the client application • ID token is meant to be understood by the client, about the user51 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  52. 52. OpenID Connect • Defines UserInfo service –To get user attributes in a standard manner • Has Simple discovery mechanism to authenticate by URL or email address • Defines dynamic client support52 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  53. 53. OpenID Connect OpenID Connect provides a single way to securely support both Web SSO, and API access by native clients.53 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  54. 54. Closing54 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  55. 55. Closing • Digital Identity is a broad topic representing the user authentication, attributes, and authorization policies for a domain • Applications should not be their own security domains –does not scale55 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  56. 56. Closing • Web SSO is a way to bridge the gap in security domains –SAML - Security Assertion Markup Language –OpenID56 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  57. 57. Closing • For native clients, the browser flow of Web SSO is not appropriate • SOAP services have WS-* –supports SAML tokens • REST services have OAuth –supports SAML tokens57 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  58. 58. Closing • Going forward, OpenID Connect bridges Web SSO and API access. • Supports authentication and authorization • Previous protocols will stay in use58 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  59. 59. Questions? http://www.flickr.com/photos/horiavarlan/4273168957/ • Ask me about: –WS-Federation –WS-Security/WS-Trust –SCIM –ID-FF/Shibboleth59 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  60. 60. Questions? • Visit www.pingidentity.com or www.pingone.com for more information • Email sales@pingidentity.com with questions Are you a SaaS company interested in getting started with PingOne for free? Contact us at sales@pingidentity.com to learn how!60 Copyright ©2012 Ping Identity Corporation. All rights reserved.

×