7. Ingredients
• Small number of ingredients can
be composed to create useful &
tasty dishes
• SCIM, SAML, OAuth, and JWT
provide a standards based
framework for cloud identity
recipes
8. (Gross) Oversimplications
• SAML – SSO for enterprise & cloud
web apps
• OAuth – authn & authz for RESTful
APIs
• SCIM – RESTful (and viable!) user
provisioning
• JWT – JSON-based SAML
assertions
11. SCIM & SAML
• SCIM API messages to provision accounts for
subsequent SAML SSO
• SAML binding for SCIM
• Carry SCIM instance as attributes in SAML SSO
message
• Alternaitve to a distinct CRUD operation using the
SCIM RESTful protocol
• Enables JIT provisioning
13. Challenges
• Non-trivial to map SCIM attribute
schema into SAML's attribute model
• SCIM schema allows for
• Complex structures
• Multi-valued attributes
• Which is why I've been negligent in
the work
15. SCIM & OAuth
1. Use SCIM to provision
account for subsequent
OAuth-based mobile access
to SaaS APIs
1. Use OAuth to secure SCIM
API calls
16. SCIM & OAuth
POST /User HTTP/1.1
Host: example.com
Accept: application/xml OAuth access token issued
Authorization: Bearer h480djs93hd8 by the SaaS to the enterprise
to use on subsequent SCIM
<?xml version="1.0" encoding="UTF-8"?> calls
<scim:User xmlns:scim="urn:scim:schemas:core:1.0">
<userName>bjensen@example.com</userName> Note difference from
<externalId>701984</externalId> archetypical OAuth
<emails> delegated authz use case
<email>
<value>bjensen@example.com</value>
<primary>true</primary>
<type>work</type>
</email>
</emails>
</scim:User>
18. SAML & OAuth
SAML 'Hybrid' – carry OAuth token
OAuth
in SAML SSO messages
'Assertion profile' - use
OAuth SAML assertions within
SAML
OAuth flow. Trade assertion for
token
SAML OAuth 'Sequencing' – use SAML SSO in
order to authenticate user to AS
26. SAML & JWT & OAuth
SAML JWT Profiles assertion profile
For specific assertion
formats
Assertion profile How to use assertions
for client authentication
and as a grant type
OAuth Core protocol
27. SAML & JWT & OAuth
• Use SAML assertion or JWT for
OAuth client authentication and/or OAuth grant type
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code& code=i1WsRn1uB1& client_id=s6BhdRkqt3&
client_assertion_type=urn%3Aoasis%3Anames%sAtc%3ASAML%3A2.0%3Aassert
ion& client_assertion=PHNhbWxwOl…...ZT
Client authenticating to AS
token endpoint using assertion
rather than secret
29. OpenID Connect == JWT & OAuth & identity
•OAuth is a general mechanism to authorize API
access, OpenID Connect profiles the generic for
purposes of sharing profile information & enabling
a SSO protocol
•Uses the authz code & implicit grant types – the
pieces of OAuth optimized for user-consent
scenarios
•Leverages the authorization & token endpoints &
adds identity-based params to core OAuth
messages
30. OpenID Connect
• OpenID Provider
– Adds to OAuth 2.0 Authorization Service
• Issues id_token in addition to access_token
– Codifies a standardized Resource Services
• UserInfo Endpoint
• Relying Party
– OAuth client to the endpoints exposed by the
OpenID Provider
• Implicit Grant or Authorization Code Flows
31. Ignoring the distinction as to
whether the tokens actually
flow front-channel, or instead User Agent
back-channel after a front-
channel step
1) GET A TOKEN
AS
Client
RS
2) USE A TOKEN
Base OAuth
32. Ignoring the distinction as to
whether the tokens actually
flow front-channel, or instead User Agent
back-channel after a front-
channel step
1) GET A TOKEN
AS
Client
2) READ A TOKEN RS
3) USE A TOKEN
UserInfo
OpenID Connect
Base OAuth
34. UMA == OAuth + centralized authz
1. OAuth allows for pairwise app-to-app connections. UMA, in
addition, defines a hub from which many pairwise sharing
connections can be managed, controlled, and revoked.
2. OAuth solves for person-to-self sharing. UMA, in addition, solves
for secure person-to-person sharing and person-to-organization
sharing.
3. OAuth leaves unstated how its "authorization server" and
"resource server" components interact. UMA fully defines a
standard interface between its enhanced versions of these two
components, the authorization manager and host.
From UMA FAQ
38. Speculative
•XACML policy (a TBD JSON binding) inside a JWT???
•Extends simple scope model
•Interplay between SCIM-provisioned attributes & SaaS
XACML policies?
•RESTful authz query for XACML?
•PEP sends an access token to PDP (along with
scopes) PDP resolves token as necessary, returns
yes/no to PEP
Acknowledge that there is a SAML/XACML profile – but nobody uses it. What of composing XACML with OAuth – both nominally focussed on authz. What about carrying XACML in JWT etc etc