SlideShare une entreprise Scribd logo

A recipe for standards-based Cloud IdM

Télécharger en tant que PPTX, PDF
Paul Madsen
Paul Madsen

I already regret the analogy

TechnologieBusiness
1  sur  40
A recipe for standards-based Cloud IdM Paul Madsen @paulmadsen
2
3
4
5
Ingredients SAML OAuth SCIM JWT 6
Ingredients • Small number of ingredients can be composed to create useful & tasty dishes • SCIM, SAML, OAuth, and JWT provide a standards based framework for cloud identity recipes
(Gross) Oversimplications • SAML – SSO for enterprise & cloud web apps • OAuth – authn & authz for RESTful APIs • SCIM – RESTful (and viable!) user provisioning • JWT – JSON-based SAML assertions
SAML SCIM OAuth JWT
SAML SCIM OAuth JWT
SCIM & SAML • SCIM API messages to provision accounts for subsequent SAML SSO • SAML binding for SCIM • Carry SCIM instance as attributes in SAML SSO message • Alternaitve to a distinct CRUD operation using the SCIM RESTful protocol • Enables JIT provisioning
SCIM & SAML <saml:AttributeStatementxmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:scim="http://placeholder.scim.org/2011/schema/extension"> <saml:AttributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname- format:unspecified" Name="SCIM.userName"> <saml:AttributeValuexmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">bjensen@example.com </saml:AttributeValue> </saml:Attribute> <saml:AttributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname- format:unspecified" Name="SCIM.name.formatted"> <saml:AttributeValuexmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">Ms. Babs J Jensen III </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>
Challenges • Non-trivial to map SCIM attribute schema into SAML's attribute model • SCIM schema allows for • Complex structures • Multi-valued attributes • Which is why I've been negligent in the work
SAML SCIM OAuth JWT
SCIM & OAuth 1. Use SCIM to provision account for subsequent OAuth-based mobile access to SaaS APIs 1. Use OAuth to secure SCIM API calls
SCIM & OAuth POST /User HTTP/1.1 Host: example.com Accept: application/xml OAuth access token issued Authorization: Bearer h480djs93hd8 by the SaaS to the enterprise to use on subsequent SCIM <?xml version="1.0" encoding="UTF-8"?> calls <scim:User xmlns:scim="urn:scim:schemas:core:1.0"> <userName>bjensen@example.com</userName> Note difference from <externalId>701984</externalId> archetypical OAuth <emails> delegated authz use case <email> <value>bjensen@example.com</value> <primary>true</primary> <type>work</type> </email> </emails> </scim:User>
SAML SCIM OAuth JWT
SAML & OAuth SAML 'Hybrid' – carry OAuth token OAuth in SAML SSO messages 'Assertion profile' - use OAuth SAML assertions within SAML OAuth flow. Trade assertion for token SAML OAuth 'Sequencing' – use SAML SSO in order to authenticate user to AS
OAuth SAML OAuth
Demo 20 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
Demo 21 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
Demo 22 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
Demo 23 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
SAML SCIM OAuth JWT
25
SAML & JWT & OAuth SAML JWT Profiles assertion profile For specific assertion formats Assertion profile How to use assertions for client authentication and as a grant type OAuth Core protocol
SAML & JWT & OAuth • Use SAML assertion or JWT for OAuth client authentication and/or OAuth grant type POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=i1WsRn1uB1& client_id=s6BhdRkqt3& client_assertion_type=urn%3Aoasis%3Anames%sAtc%3ASAML%3A2.0%3Aassert ion& client_assertion=PHNhbWxwOl…...ZT Client authenticating to AS token endpoint using assertion rather than secret
SAML OpenID SCIM OAuth Connect JWT
OpenID Connect == JWT & OAuth & identity •OAuth is a general mechanism to authorize API access, OpenID Connect profiles the generic for purposes of sharing profile information & enabling a SSO protocol •Uses the authz code & implicit grant types – the pieces of OAuth optimized for user-consent scenarios •Leverages the authorization & token endpoints & adds identity-based params to core OAuth messages
OpenID Connect • OpenID Provider – Adds to OAuth 2.0 Authorization Service • Issues id_token in addition to access_token – Codifies a standardized Resource Services • UserInfo Endpoint • Relying Party – OAuth client to the endpoints exposed by the OpenID Provider • Implicit Grant or Authorization Code Flows
Ignoring the distinction as to whether the tokens actually flow front-channel, or instead User Agent back-channel after a front- channel step 1) GET A TOKEN AS Client RS 2) USE A TOKEN Base OAuth
Ignoring the distinction as to whether the tokens actually flow front-channel, or instead User Agent back-channel after a front- channel step 1) GET A TOKEN AS Client 2) READ A TOKEN RS 3) USE A TOKEN UserInfo OpenID Connect Base OAuth
SAML SCIM UMA OAuth JWT
UMA == OAuth + centralized authz 1. OAuth allows for pairwise app-to-app connections. UMA, in addition, defines a hub from which many pairwise sharing connections can be managed, controlled, and revoked. 2. OAuth solves for person-to-self sharing. UMA, in addition, solves for secure person-to-person sharing and person-to-organization sharing. 3. OAuth leaves unstated how its "authorization server" and "resource server" components interact. UMA fully defines a standard interface between its enhanced versions of these two components, the authorization manager and host. From UMA FAQ
SAML SCIM XACML? OAuth JWT
XACML?
Speculative •XACML policy (a TBD JSON binding) inside a JWT??? •Extends simple scope model •Interplay between SCIM-provisioned attributes & SaaS XACML policies? •RESTful authz query for XACML? •PEP sends an access token to PDP (along with scopes) PDP resolves token as necessary, returns yes/no to PEP
AS Issuance PDP y/n Client PEP RS 39
Questions

Recommandé

Saml v2-OpenAM
Saml v2-OpenAMSaml v2-OpenAM
Saml v2-OpenAMPascal Flamand
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access ControlCA API Management
 
Azure Service Bus Performance Checklist
Azure Service Bus Performance ChecklistAzure Service Bus Performance Checklist
Azure Service Bus Performance ChecklistSalim M Bhonhariya
 
SCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is GrowingSCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is GrowingKelly Grizzle
 
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014Kelly Grizzle
 
SCIM 2.0 - Choose your own identity adventure
SCIM 2.0 - Choose your own identity adventureSCIM 2.0 - Choose your own identity adventure
SCIM 2.0 - Choose your own identity adventureKelly Grizzle
 
Lessons learned from the design of the SCIM API
Lessons learned from the design of the SCIM APILessons learned from the design of the SCIM API
Lessons learned from the design of the SCIM APIErik Wahlström
 
Scim overview
Scim overviewScim overview
Scim overviewMorteza Ansari
 

Recommandé

Saml v2-OpenAM
Saml v2-OpenAMSaml v2-OpenAM
Saml v2-OpenAMPascal Flamand
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access ControlCA API Management
 
Azure Service Bus Performance Checklist
Azure Service Bus Performance ChecklistAzure Service Bus Performance Checklist
Azure Service Bus Performance ChecklistSalim M Bhonhariya
 
SCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is GrowingSCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is GrowingKelly Grizzle
 
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014Kelly Grizzle
 
SCIM 2.0 - Choose your own identity adventure
SCIM 2.0 - Choose your own identity adventureSCIM 2.0 - Choose your own identity adventure
SCIM 2.0 - Choose your own identity adventureKelly Grizzle
 
Lessons learned from the design of the SCIM API
Lessons learned from the design of the SCIM APILessons learned from the design of the SCIM API
Lessons learned from the design of the SCIM APIErik Wahlström
 
Scim overview
Scim overviewScim overview
Scim overviewMorteza Ansari
 
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...CA API Management
 
SAML Smackdown
SAML SmackdownSAML Smackdown
SAML SmackdownPat Patterson
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
DIWD Concordia
DIWD ConcordiaDIWD Concordia
DIWD ConcordiaPaul Madsen
 
WSO2Con USA 2014 - Identity Server Tutorial
WSO2Con USA 2014 - Identity Server TutorialWSO2Con USA 2014 - Identity Server Tutorial
WSO2Con USA 2014 - Identity Server TutorialPrabath Siriwardena
 
Microservice with OAuth2
Microservice with OAuth2Microservice with OAuth2
Microservice with OAuth2◄ vaquar khan ► ★✔
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?Dave Syer
 
Open sso fisl9.0
Open sso fisl9.0Open sso fisl9.0
Open sso fisl9.0Startup Cursos
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security AvalancheMichele Leroux Bustamante
 
OpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumOpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumEduardo Pelegri-Llopart
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleMayank Sharma
 
SAML 2
SAML 2SAML 2
SAML 2Steward_John
 
SAML
SAMLSAML
SAMLLéopold Gault
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Dejan Glozic
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityOliver Pfaff
 
Onboarding in the IoT
Onboarding in the IoTOnboarding in the IoT
Onboarding in the IoTPaul Madsen
 
Native application Single SignOn
Native application Single SignOnNative application Single SignOn
Native application Single SignOnPaul Madsen
 

Contenu connexe

Similaire à A recipe for standards-based Cloud IdM

Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...CA API Management
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
WSO2Con USA 2014 - Identity Server Tutorial
WSO2Con USA 2014 - Identity Server TutorialWSO2Con USA 2014 - Identity Server Tutorial
WSO2Con USA 2014 - Identity Server TutorialPrabath Siriwardena
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?Dave Syer
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleMayank Sharma
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Dejan Glozic
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityOliver Pfaff
 

Similaire à A recipe for standards-based Cloud IdM (20)

Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
 
SAML Smackdown
SAML SmackdownSAML Smackdown
SAML Smackdown
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
DIWD Concordia
DIWD ConcordiaDIWD Concordia
DIWD Concordia
 
WSO2Con USA 2014 - Identity Server Tutorial
WSO2Con USA 2014 - Identity Server TutorialWSO2Con USA 2014 - Identity Server Tutorial
WSO2Con USA 2014 - Identity Server Tutorial
 
Microservice with OAuth2
Microservice with OAuth2Microservice with OAuth2
Microservice with OAuth2
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
 
Open sso fisl9.0
Open sso fisl9.0Open sso fisl9.0
Open sso fisl9.0
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security Avalanche
 
OpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumOpenSSO Tech Overview Aquarium
OpenSSO Tech Overview Aquarium
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 Module
 
SAML 2
SAML 2SAML 2
SAML 2
 
SAML
SAMLSAML
SAML
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
 

Plus de Paul Madsen

Onboarding in the IoT
Onboarding in the IoTOnboarding in the IoT
Onboarding in the IoTPaul Madsen
 
Native application Single SignOn
Native application Single SignOnNative application Single SignOn
Native application Single SignOnPaul Madsen
 
BYOD - it's an identity thing
BYOD - it's an identity thingBYOD - it's an identity thing
BYOD - it's an identity thingPaul Madsen
 
Madsen byod-csa-02
Madsen byod-csa-02Madsen byod-csa-02
Madsen byod-csa-02Paul Madsen
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01Paul Madsen
 
Jan19 scim webinar-04
Jan19 scim webinar-04Jan19 scim webinar-04
Jan19 scim webinar-04Paul Madsen
 
Mobile Native OAuth Decision Framework
Mobile Native OAuth Decision FrameworkMobile Native OAuth Decision Framework
Mobile Native OAuth Decision FrameworkPaul Madsen
 
Gluecon oauth-03
Gluecon oauth-03Gluecon oauth-03
Gluecon oauth-03Paul Madsen
 
Proxying Assurance between OpenID & SAML
Proxying Assurance between OpenID & SAMLProxying Assurance between OpenID & SAML
Proxying Assurance between OpenID & SAMLPaul Madsen
 
Iiw2007b Madsen 01
Iiw2007b Madsen 01Iiw2007b Madsen 01
Iiw2007b Madsen 01Paul Madsen
 

Plus de Paul Madsen (11)

Onboarding in the IoT
Onboarding in the IoTOnboarding in the IoT
Onboarding in the IoT
 
Native application Single SignOn
Native application Single SignOnNative application Single SignOn
Native application Single SignOn
 
BYOD - it's an identity thing
BYOD - it's an identity thingBYOD - it's an identity thing
BYOD - it's an identity thing
 
Madsen byod-csa-02
Madsen byod-csa-02Madsen byod-csa-02
Madsen byod-csa-02
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01
 
Jan19 scim webinar-04
Jan19 scim webinar-04Jan19 scim webinar-04
Jan19 scim webinar-04
 
Mobile Native OAuth Decision Framework
Mobile Native OAuth Decision FrameworkMobile Native OAuth Decision Framework
Mobile Native OAuth Decision Framework
 
Gluecon oauth-03
Gluecon oauth-03Gluecon oauth-03
Gluecon oauth-03
 
Proxying Assurance between OpenID & SAML
Proxying Assurance between OpenID & SAMLProxying Assurance between OpenID & SAML
Proxying Assurance between OpenID & SAML
 
Oauth 01
Oauth 01Oauth 01
Oauth 01
 
Iiw2007b Madsen 01
Iiw2007b Madsen 01Iiw2007b Madsen 01
Iiw2007b Madsen 01
 

Dernier

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 

Dernier (20)

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 

A recipe for standards-based Cloud IdM

  • 1. A recipe for standards-based Cloud IdM Paul Madsen @paulmadsen
  • 2. 2
  • 3. 3
  • 4. 4
  • 5. 5
  • 6. Ingredients SAML OAuth SCIM JWT 6
  • 7. Ingredients • Small number of ingredients can be composed to create useful & tasty dishes • SCIM, SAML, OAuth, and JWT provide a standards based framework for cloud identity recipes
  • 8. (Gross) Oversimplications • SAML – SSO for enterprise & cloud web apps • OAuth – authn & authz for RESTful APIs • SCIM – RESTful (and viable!) user provisioning • JWT – JSON-based SAML assertions
  • 9. SAML SCIM OAuth JWT
  • 10. SAML SCIM OAuth JWT
  • 11. SCIM & SAML • SCIM API messages to provision accounts for subsequent SAML SSO • SAML binding for SCIM • Carry SCIM instance as attributes in SAML SSO message • Alternaitve to a distinct CRUD operation using the SCIM RESTful protocol • Enables JIT provisioning
  • 12. SCIM & SAML <saml:AttributeStatementxmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:scim="http://placeholder.scim.org/2011/schema/extension"> <saml:AttributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname- format:unspecified" Name="SCIM.userName"> <saml:AttributeValuexmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">bjensen@example.com </saml:AttributeValue> </saml:Attribute> <saml:AttributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname- format:unspecified" Name="SCIM.name.formatted"> <saml:AttributeValuexmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">Ms. Babs J Jensen III </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>
  • 13. Challenges • Non-trivial to map SCIM attribute schema into SAML's attribute model • SCIM schema allows for • Complex structures • Multi-valued attributes • Which is why I've been negligent in the work
  • 14. SAML SCIM OAuth JWT
  • 15. SCIM & OAuth 1. Use SCIM to provision account for subsequent OAuth-based mobile access to SaaS APIs 1. Use OAuth to secure SCIM API calls
  • 16. SCIM & OAuth POST /User HTTP/1.1 Host: example.com Accept: application/xml OAuth access token issued Authorization: Bearer h480djs93hd8 by the SaaS to the enterprise to use on subsequent SCIM <?xml version="1.0" encoding="UTF-8"?> calls <scim:User xmlns:scim="urn:scim:schemas:core:1.0"> <userName>bjensen@example.com</userName> Note difference from <externalId>701984</externalId> archetypical OAuth <emails> delegated authz use case <email> <value>bjensen@example.com</value> <primary>true</primary> <type>work</type> </email> </emails> </scim:User>
  • 17. SAML SCIM OAuth JWT
  • 18. SAML & OAuth SAML 'Hybrid' – carry OAuth token OAuth in SAML SSO messages 'Assertion profile' - use OAuth SAML assertions within SAML OAuth flow. Trade assertion for token SAML OAuth 'Sequencing' – use SAML SSO in order to authenticate user to AS
  • 19. OAuth SAML OAuth
  • 20. Demo 20 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 21. Demo 21 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 22. Demo 22 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 23. Demo 23 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 24. SAML SCIM OAuth JWT
  • 25. 25
  • 26. SAML & JWT & OAuth SAML JWT Profiles assertion profile For specific assertion formats Assertion profile How to use assertions for client authentication and as a grant type OAuth Core protocol
  • 27. SAML & JWT & OAuth • Use SAML assertion or JWT for OAuth client authentication and/or OAuth grant type POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=i1WsRn1uB1& client_id=s6BhdRkqt3& client_assertion_type=urn%3Aoasis%3Anames%sAtc%3ASAML%3A2.0%3Aassert ion& client_assertion=PHNhbWxwOl…...ZT Client authenticating to AS token endpoint using assertion rather than secret
  • 28. SAML OpenID SCIM OAuth Connect JWT
  • 29. OpenID Connect == JWT & OAuth & identity •OAuth is a general mechanism to authorize API access, OpenID Connect profiles the generic for purposes of sharing profile information & enabling a SSO protocol •Uses the authz code & implicit grant types – the pieces of OAuth optimized for user-consent scenarios •Leverages the authorization & token endpoints & adds identity-based params to core OAuth messages
  • 30. OpenID Connect • OpenID Provider – Adds to OAuth 2.0 Authorization Service • Issues id_token in addition to access_token – Codifies a standardized Resource Services • UserInfo Endpoint • Relying Party – OAuth client to the endpoints exposed by the OpenID Provider • Implicit Grant or Authorization Code Flows
  • 31. Ignoring the distinction as to whether the tokens actually flow front-channel, or instead User Agent back-channel after a front- channel step 1) GET A TOKEN AS Client RS 2) USE A TOKEN Base OAuth
  • 32. Ignoring the distinction as to whether the tokens actually flow front-channel, or instead User Agent back-channel after a front- channel step 1) GET A TOKEN AS Client 2) READ A TOKEN RS 3) USE A TOKEN UserInfo OpenID Connect Base OAuth
  • 33. SAML SCIM UMA OAuth JWT
  • 34. UMA == OAuth + centralized authz 1. OAuth allows for pairwise app-to-app connections. UMA, in addition, defines a hub from which many pairwise sharing connections can be managed, controlled, and revoked. 2. OAuth solves for person-to-self sharing. UMA, in addition, solves for secure person-to-person sharing and person-to-organization sharing. 3. OAuth leaves unstated how its "authorization server" and "resource server" components interact. UMA fully defines a standard interface between its enhanced versions of these two components, the authorization manager and host. From UMA FAQ
  • 35.
  • 36. SAML SCIM XACML? OAuth JWT
  • 38. Speculative •XACML policy (a TBD JSON binding) inside a JWT??? •Extends simple scope model •Interplay between SCIM-provisioned attributes & SaaS XACML policies? •RESTful authz query for XACML? •PEP sends an access token to PDP (along with scopes) PDP resolves token as necessary, returns yes/no to PEP
  • 39. AS Issuance PDP y/n Client PEP RS 39

Notes de l'éditeur

  1. Fly in the ointment is XACML
  2. Acknowledge that there is a SAML/XACML profile – but nobody uses it. What of composing XACML with OAuth – both nominally focussed on authz. What about carrying XACML in JWT etc etc