SlideShare une entreprise Scribd logo

Deciphering 'Claims-based Identity'

Oliver Pfaff
Oliver Pfaff

Claims-based identity refers to establishing a user's identity outside of an application and injecting identity information into the application in a secure manner. It allows applications to obtain authenticated user information programmatically or declaratively. While it improves the user experience and development process, claims-based identity does not solve all identity and access management use cases and some platforms require more custom work to implement it.

Technologie
1  sur  15
Deciphering 'Claims-based Identity' Oliver Pfaff September 13, 2014
2 Sept. 2014 - All rights reserved Preface ▶'Claims-based identity' presents an important concept. It was introduced some years ago and is well-covered –Just Google this term –Most notably: A Guide To Claims-Based Identity And Access Control (Second Edition) ▶However software product owners, application architects and developers often are puzzling about it –I happen to encounter the same questions again and again –So this is what claims-based identity means to me
3 Sept. 2014 - All rights reserved Approach ▶Create applications so that identity gets established outside the application –This refers to the identity of the current caller ▶The environment establishes and injects required identity information –This has to happen in a secure way Application request.getName()=JohnDoe Identity This is: name=JohnDoe Environment John Doe
4 Sept. 2014 - All rights reserved Blueprint Application request.getName()= JohnDoe… John Doe Identity infrastructure service <e.g. Web application> Container Identity enabling module <e.g. filter> Authentication request (without credentials) Security token Identity info User agent You – as product owner, architect, or developer One of your users Else Initial authentication
5 Sept. 2014 - All rights reserved Flavors ▶Claims-based identity comes in two flavors, economy/business – if you will –Economy: applications tell the identity infrastructure service at registration-time about their demand e.g. “I need info about age, residential address and loyalty program membership” •Provides authenticated information about the current user in push-style •Registration changes are needed to alter the set of supplied information –Business: applications tell the identity infrastructure service at runtime e.g. “I need info about marital status” •Allows applications to obtain authenticated information about the current user in pull-style (programmatically or declaratively providing the instructions on to-be-supplied claim information) •Altering the set of requested information to e.g. “Hey, I need info about marital status and the mail address” does not mandate registration changes
6 Sept. 2014 - All rights reserved Ingredients ▶In order to offer an economy solution it takes a security token object that supports application-specific contents in a versatile way –This is: name=JohnDoe, age=37, maritalStatus=divorced…. ▶To offer a business solution it also takes an authentication request object that can express application-defined instructions –I need: info about name, age, maritalStatus…
7 Sept. 2014 - All rights reserved Protocols ▶This addresses the question ‘which protocols bear the concept of claims-based identity’ for Web applications i.e. anything that relies on HTTP ▶It requires HTTP request/response exchanges that encompass a security token object capturing an event of authentication. So the shortlist is –Kerberos: specified by IETF (RFC 4559); uses Kerberos tickets as security token form-factor –SAML: specified by OASIS, uses SAML assertions –WS-Federation (passive profile): specified by OASIS; supports various security token formats –OpenID Connect: specified by OpenID Foundation; uses JSON Web Tokens –OAuth UA4C: elaborated at IETF (work-in-progress); uses JSON Web Tokens
8 Sept. 2014 - All rights reserved Fluency Economy Business Kerberos Security token is not versatile: Kerberos tickets only inform about the PrincipalName of the requestor Authentication request absent SAML Security token (saml:Assertion) is versatile Authentication request present in SAML 2.0 but does not define the expression of to- be-supplied claims information* Authentication request absent in SAML 1.x WS-Federation (passive profile) Security token can be versatile e.g. saml:Assertion** Authentication request present and supports the expression of to-be-supplied claims information: child element wst:Claims in wst:RequestSecurityToken OpenID Connect Security token (JSON Web Token) is versatile Authentication request present and supports two ways of expressing to-be- supplied claims information: - OAuth Scope values - OpenID Connect request object claims OAuth UA4C Security token (JSON Web Token) is versatile Authentication request present but does not define the expression of to-be-supplied claims information*** *: Its ‘any’ –type child element samlp:Extension supports custom content but things become proprietary **: WS-Federation does not specify security token formats. It also supports non-versatile objects e.g. Kerberos ***: OAuth Scope values might be used but UA4C does not specify their use for providing such instructions
9 Sept. 2014 - All rights reserved Stacks ▶The following addresses the question 'which stacks encompass identity enabling modules/infrastructure services for claims-based identity’ for Java (Java SE/EE) and .NET
10 Sept. 2014 - All rights reserved Fitness Economy Business Java Servlet API allows Java Web applications to access authenticated information about the current requestor (request.getRemoteUser()/ getUserPrincipal()) which is supplied by container/application extension modules. This does not specify rich representations of identity. Additional modules (IAM enabling) and custom conventions (between them and applications) are needed to supply caller identity in rich representations. Additional modules (IAM enabling) and custom conventions (between them and applications) to provide authentication requests with instructions on to-be-supplied claims. .NET Natively supported: • Identity enabling modules: WS-Federation Authentication Module (part of Windows Identity Foundation) • Identity infrastructure services: Active Directory Federation Services (on-premises), Azure Active Directory Access Control (Cloud) Natively supported (see left): instructions on to be supplied claims may be provided programmatically or declaratively
11 Sept. 2014 - All rights reserved Caveats ▶It takes two to tango: fluency of the protocol and ability of the stack –Protocols: •Economy: most shortlisted protocols are capable of doing the basic trick •Business: not all shortlisted protocols do the advanced trick –Stacks: •DIY needed for Java oNo identity enabling module for doing the trick comes off-the-shelf with Java SE/EE oCurrent servlet API does not specify the supply of caller identity in rich representations •Straight-forward with .NET oOff-the-shelf components and default recipes do exist
12 Sept. 2014 - All rights reserved Limitations ▶Claims-based identity does not solve all IAM-related use cases –Edge case: logged-in users perform operations which depend on information about other users (colleagues, buddies…) •Claims-based identity is able to cover the first part: who is the 'logged- in user’ (identifier, properties) possibly including: who are the other users (list of references) •But not the second part: what are the identities of 'other users' (their identifiers, properties). Packaging such information into security tokens issued for the primary user and binding that to an application session over-stretches typical boundary conditions –Cf. Provisioning scenarios in identity federations for more background ▶Claims-based identity does not automatically result in good IAM practices: –Applications can always come up with mySpecialUserPropertyYouDidNotAnticipateAndIRegardMandatory –Care is needed in allocating such information as well as the functionality for its maintenance in an overall IT-system
13 Sept. 2014 - All rights reserved Benefits ▶Improve user experience: facilitate consistent identity and login experience across network applications ▶Foster re-use: externalize the concern of user resp. requestor authentication, re-use its implementation across multiple applications ▶Facilitate agility: introduce new security features e.g. new authentication schemes or adaptive, context-based login without touching each individual application ▶Support new deployment models: applications that internalize initial authentication are tedious to move to the Cloud (here: IaaS, PaaS) ▶Scale application development: the number of development resources who are literate in security/IAM is out-scaled by the number of applications in need of authenticated information for their current requestor
14 Sept. 2014 - All rights reserved Conclusions ▶Claims-based identity is about the design of applications: it refers to a dependency injection concept for the ‘last mile‘ in authentication systems ▶Claims-based identity is one term for this concept: other solutions trading identity in its post-authentication form may comply with the concept without using this term ▶Claims-based identity is no one-stop-shop: IAM use cases do exist which are not covered by claims-based identity ▶Claims-based identity comes in some flavors: there is no single, one-size-fits- all approach – pull/push modes are to be distinguished ▶Claims-based identity is an unevenly distributed asset: in Java you’ll have to DIY, with .NET most stuff comes included
15 Sept. 2014 - All rights reserved Author ▶oliver.frank.pfaff@gmail.com

Recommandé

SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Danny Jessee
 
Claims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudClaims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?rlsoft
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersCorey Roth
 

Recommandé

SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Danny Jessee
 
Claims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudClaims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?rlsoft
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersCorey Roth
 
Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...AntonioMaio2
 
SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthKashif Imran
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaicationSean Xiong
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
SharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioSharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioAntonioMaio2
 
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePointHow Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePointAntonioMaio2
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLinkJBUG London
 
RESTful Day 5
RESTful Day 5RESTful Day 5
RESTful Day 5Akhil Mittal
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13Gus Fraser
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityWSO2
 
Leveraging SharePoint for Extranets
Leveraging SharePoint for ExtranetsLeveraging SharePoint for Extranets
Leveraging SharePoint for ExtranetsAvtex
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using ClaimsVolkan Uzun
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With PicketlinkAnil Saldanha
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1Vinu Gunasekaran
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlAaronLieberman5
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...WebStackAcademy
 

Contenu connexe

Tendances

Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...AntonioMaio2
 
SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthKashif Imran
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaicationSean Xiong
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
SharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioSharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioAntonioMaio2
 
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePointHow Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePointAntonioMaio2
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLinkJBUG London
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13Gus Fraser
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityWSO2
 
Leveraging SharePoint for Extranets
Leveraging SharePoint for ExtranetsLeveraging SharePoint for Extranets
Leveraging SharePoint for ExtranetsAvtex
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using ClaimsVolkan Uzun
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With PicketlinkAnil Saldanha
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1Vinu Gunasekaran
 

Tendances (20)

Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...
 
SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims Auth
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaication
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
SharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioSharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio Maio
 
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePointHow Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
 
RESTful Day 5
RESTful Day 5RESTful Day 5
RESTful Day 5
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
 
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise Security
 
Leveraging SharePoint for Extranets
Leveraging SharePoint for ExtranetsLeveraging SharePoint for Extranets
Leveraging SharePoint for Extranets
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using Claims
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With Picketlink
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
 

Similaire à Deciphering 'Claims-based Identity'

Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlAaronLieberman5
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...WebStackAcademy
 
Azure AD B2C Webinar Series: Custom Policies Part 1
Azure AD B2C Webinar Series: Custom Policies Part 1Azure AD B2C Webinar Series: Custom Policies Part 1
Azure AD B2C Webinar Series: Custom Policies Part 1Vinu Gunasekaran
 
validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...izzatisholehah
 
SecureDroid: An Android Security Framework Extension for Context-Aware policy...
SecureDroid: An Android Security Framework Extension for Context-Aware policy...SecureDroid: An Android Security Framework Extension for Context-Aware policy...
SecureDroid: An Android Security Framework Extension for Context-Aware policy...Giuseppe La Torre
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web SecurityOliver Pfaff
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
Contextual Authentication: A Multi-factor Approach
Contextual Authentication: A Multi-factor ApproachContextual Authentication: A Multi-factor Approach
Contextual Authentication: A Multi-factor ApproachPortalGuard
 
IRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor AuthenticationIRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor AuthenticationIRJET Journal
 
CIS14: Are the Enterprises Ready for Identity of Everything?
CIS14: Are the Enterprises Ready for Identity of Everything?CIS14: Are the Enterprises Ready for Identity of Everything?
CIS14: Are the Enterprises Ready for Identity of Everything?CloudIDSummit
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)Torsten Lodderstedt
 
Review Paper On Multi-Keyword Ranked Search in Encrypted Cloud Storage
Review Paper On Multi-Keyword Ranked Search in Encrypted Cloud StorageReview Paper On Multi-Keyword Ranked Search in Encrypted Cloud Storage
Review Paper On Multi-Keyword Ranked Search in Encrypted Cloud StorageIRJET Journal
 
A Review on Two Level Authentication Using Image Selection and Voice Recognition
A Review on Two Level Authentication Using Image Selection and Voice RecognitionA Review on Two Level Authentication Using Image Selection and Voice Recognition
A Review on Two Level Authentication Using Image Selection and Voice RecognitionIRJET Journal
 
IDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOTIDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOTForgeRock
 
A CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONS
A CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONSA CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONS
A CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONSIJNSA Journal
 

Similaire à Deciphering 'Claims-based Identity' (20)

Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
 
Azure AD B2C Webinar Series: Custom Policies Part 1
Azure AD B2C Webinar Series: Custom Policies Part 1Azure AD B2C Webinar Series: Custom Policies Part 1
Azure AD B2C Webinar Series: Custom Policies Part 1
 
OAuth Base Camp
OAuth Base CampOAuth Base Camp
OAuth Base Camp
 
validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...
 
SecureDroid: An Android Security Framework Extension for Context-Aware policy...
SecureDroid: An Android Security Framework Extension for Context-Aware policy...SecureDroid: An Android Security Framework Extension for Context-Aware policy...
SecureDroid: An Android Security Framework Extension for Context-Aware policy...
 
SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
 
SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7
 
Web security
Web securityWeb security
Web security
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web Security
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
Contextual Authentication: A Multi-factor Approach
Contextual Authentication: A Multi-factor ApproachContextual Authentication: A Multi-factor Approach
Contextual Authentication: A Multi-factor Approach
 
IRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor AuthenticationIRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor Authentication
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
 
CIS14: Are the Enterprises Ready for Identity of Everything?
CIS14: Are the Enterprises Ready for Identity of Everything?CIS14: Are the Enterprises Ready for Identity of Everything?
CIS14: Are the Enterprises Ready for Identity of Everything?
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
 
Review Paper On Multi-Keyword Ranked Search in Encrypted Cloud Storage
Review Paper On Multi-Keyword Ranked Search in Encrypted Cloud StorageReview Paper On Multi-Keyword Ranked Search in Encrypted Cloud Storage
Review Paper On Multi-Keyword Ranked Search in Encrypted Cloud Storage
 
A Review on Two Level Authentication Using Image Selection and Voice Recognition
A Review on Two Level Authentication Using Image Selection and Voice RecognitionA Review on Two Level Authentication Using Image Selection and Voice Recognition
A Review on Two Level Authentication Using Image Selection and Voice Recognition
 
IDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOTIDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOT
 
A CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONS
A CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONSA CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONS
A CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONS
 

Plus de Oliver Pfaff

Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT SecurityOliver Pfaff
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services SecurityOliver Pfaff
 
IT-Security@Contemporary Life
IT-Security@Contemporary LifeIT-Security@Contemporary Life
IT-Security@Contemporary LifeOliver Pfaff
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
Does REST Change the Game for IAM?
Does REST Change the Game for IAM?Does REST Change the Game for IAM?
Does REST Change the Game for IAM?Oliver Pfaff
 
Trust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityTrust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityOliver Pfaff
 
Identifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessIdentifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessOliver Pfaff
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceOliver Pfaff
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresOliver Pfaff
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityOliver Pfaff
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationOliver Pfaff
 
Unified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPUnified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPOliver Pfaff
 
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Oliver Pfaff
 
Identity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareIdentity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareOliver Pfaff
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?Oliver Pfaff
 

Plus de Oliver Pfaff (16)

Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT Security
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services Security
 
IT-Security@Contemporary Life
IT-Security@Contemporary LifeIT-Security@Contemporary Life
IT-Security@Contemporary Life
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
Does REST Change the Game for IAM?
Does REST Change the Game for IAM?Does REST Change the Game for IAM?
Does REST Change the Game for IAM?
 
Analyzing OAuth
Analyzing OAuthAnalyzing OAuth
Analyzing OAuth
 
Trust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityTrust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-Security
 
Identifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessIdentifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusiness
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services Federation
 
Unified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPUnified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAP
 
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
 
Identity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareIdentity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health Care
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?
 

Dernier

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 

Dernier (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 

Deciphering 'Claims-based Identity'

  • 1. Deciphering 'Claims-based Identity' Oliver Pfaff September 13, 2014
  • 2. 2 Sept. 2014 - All rights reserved Preface ▶'Claims-based identity' presents an important concept. It was introduced some years ago and is well-covered –Just Google this term –Most notably: A Guide To Claims-Based Identity And Access Control (Second Edition) ▶However software product owners, application architects and developers often are puzzling about it –I happen to encounter the same questions again and again –So this is what claims-based identity means to me
  • 3. 3 Sept. 2014 - All rights reserved Approach ▶Create applications so that identity gets established outside the application –This refers to the identity of the current caller ▶The environment establishes and injects required identity information –This has to happen in a secure way Application request.getName()=JohnDoe Identity This is: name=JohnDoe Environment John Doe
  • 4. 4 Sept. 2014 - All rights reserved Blueprint Application request.getName()= JohnDoe… John Doe Identity infrastructure service <e.g. Web application> Container Identity enabling module <e.g. filter> Authentication request (without credentials) Security token Identity info User agent You – as product owner, architect, or developer One of your users Else Initial authentication
  • 5. 5 Sept. 2014 - All rights reserved Flavors ▶Claims-based identity comes in two flavors, economy/business – if you will –Economy: applications tell the identity infrastructure service at registration-time about their demand e.g. “I need info about age, residential address and loyalty program membership” •Provides authenticated information about the current user in push-style •Registration changes are needed to alter the set of supplied information –Business: applications tell the identity infrastructure service at runtime e.g. “I need info about marital status” •Allows applications to obtain authenticated information about the current user in pull-style (programmatically or declaratively providing the instructions on to-be-supplied claim information) •Altering the set of requested information to e.g. “Hey, I need info about marital status and the mail address” does not mandate registration changes
  • 6. 6 Sept. 2014 - All rights reserved Ingredients ▶In order to offer an economy solution it takes a security token object that supports application-specific contents in a versatile way –This is: name=JohnDoe, age=37, maritalStatus=divorced…. ▶To offer a business solution it also takes an authentication request object that can express application-defined instructions –I need: info about name, age, maritalStatus…
  • 7. 7 Sept. 2014 - All rights reserved Protocols ▶This addresses the question ‘which protocols bear the concept of claims-based identity’ for Web applications i.e. anything that relies on HTTP ▶It requires HTTP request/response exchanges that encompass a security token object capturing an event of authentication. So the shortlist is –Kerberos: specified by IETF (RFC 4559); uses Kerberos tickets as security token form-factor –SAML: specified by OASIS, uses SAML assertions –WS-Federation (passive profile): specified by OASIS; supports various security token formats –OpenID Connect: specified by OpenID Foundation; uses JSON Web Tokens –OAuth UA4C: elaborated at IETF (work-in-progress); uses JSON Web Tokens
  • 8. 8 Sept. 2014 - All rights reserved Fluency Economy Business Kerberos Security token is not versatile: Kerberos tickets only inform about the PrincipalName of the requestor Authentication request absent SAML Security token (saml:Assertion) is versatile Authentication request present in SAML 2.0 but does not define the expression of to- be-supplied claims information* Authentication request absent in SAML 1.x WS-Federation (passive profile) Security token can be versatile e.g. saml:Assertion** Authentication request present and supports the expression of to-be-supplied claims information: child element wst:Claims in wst:RequestSecurityToken OpenID Connect Security token (JSON Web Token) is versatile Authentication request present and supports two ways of expressing to-be- supplied claims information: - OAuth Scope values - OpenID Connect request object claims OAuth UA4C Security token (JSON Web Token) is versatile Authentication request present but does not define the expression of to-be-supplied claims information*** *: Its ‘any’ –type child element samlp:Extension supports custom content but things become proprietary **: WS-Federation does not specify security token formats. It also supports non-versatile objects e.g. Kerberos ***: OAuth Scope values might be used but UA4C does not specify their use for providing such instructions
  • 9. 9 Sept. 2014 - All rights reserved Stacks ▶The following addresses the question 'which stacks encompass identity enabling modules/infrastructure services for claims-based identity’ for Java (Java SE/EE) and .NET
  • 10. 10 Sept. 2014 - All rights reserved Fitness Economy Business Java Servlet API allows Java Web applications to access authenticated information about the current requestor (request.getRemoteUser()/ getUserPrincipal()) which is supplied by container/application extension modules. This does not specify rich representations of identity. Additional modules (IAM enabling) and custom conventions (between them and applications) are needed to supply caller identity in rich representations. Additional modules (IAM enabling) and custom conventions (between them and applications) to provide authentication requests with instructions on to-be-supplied claims. .NET Natively supported: • Identity enabling modules: WS-Federation Authentication Module (part of Windows Identity Foundation) • Identity infrastructure services: Active Directory Federation Services (on-premises), Azure Active Directory Access Control (Cloud) Natively supported (see left): instructions on to be supplied claims may be provided programmatically or declaratively
  • 11. 11 Sept. 2014 - All rights reserved Caveats ▶It takes two to tango: fluency of the protocol and ability of the stack –Protocols: •Economy: most shortlisted protocols are capable of doing the basic trick •Business: not all shortlisted protocols do the advanced trick –Stacks: •DIY needed for Java oNo identity enabling module for doing the trick comes off-the-shelf with Java SE/EE oCurrent servlet API does not specify the supply of caller identity in rich representations •Straight-forward with .NET oOff-the-shelf components and default recipes do exist
  • 12. 12 Sept. 2014 - All rights reserved Limitations ▶Claims-based identity does not solve all IAM-related use cases –Edge case: logged-in users perform operations which depend on information about other users (colleagues, buddies…) •Claims-based identity is able to cover the first part: who is the 'logged- in user’ (identifier, properties) possibly including: who are the other users (list of references) •But not the second part: what are the identities of 'other users' (their identifiers, properties). Packaging such information into security tokens issued for the primary user and binding that to an application session over-stretches typical boundary conditions –Cf. Provisioning scenarios in identity federations for more background ▶Claims-based identity does not automatically result in good IAM practices: –Applications can always come up with mySpecialUserPropertyYouDidNotAnticipateAndIRegardMandatory –Care is needed in allocating such information as well as the functionality for its maintenance in an overall IT-system
  • 13. 13 Sept. 2014 - All rights reserved Benefits ▶Improve user experience: facilitate consistent identity and login experience across network applications ▶Foster re-use: externalize the concern of user resp. requestor authentication, re-use its implementation across multiple applications ▶Facilitate agility: introduce new security features e.g. new authentication schemes or adaptive, context-based login without touching each individual application ▶Support new deployment models: applications that internalize initial authentication are tedious to move to the Cloud (here: IaaS, PaaS) ▶Scale application development: the number of development resources who are literate in security/IAM is out-scaled by the number of applications in need of authenticated information for their current requestor
  • 14. 14 Sept. 2014 - All rights reserved Conclusions ▶Claims-based identity is about the design of applications: it refers to a dependency injection concept for the ‘last mile‘ in authentication systems ▶Claims-based identity is one term for this concept: other solutions trading identity in its post-authentication form may comply with the concept without using this term ▶Claims-based identity is no one-stop-shop: IAM use cases do exist which are not covered by claims-based identity ▶Claims-based identity comes in some flavors: there is no single, one-size-fits- all approach – pull/push modes are to be distinguished ▶Claims-based identity is an unevenly distributed asset: in Java you’ll have to DIY, with .NET most stuff comes included
  • 15. 15 Sept. 2014 - All rights reserved Author ▶oliver.frank.pfaff@gmail.com