Authentication in the Cloud. Stefan Seelmann

Similar documents
Warm Up to Identity Protocol Soup

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

API Gateway. Version 7.5.1

openid connect all the things

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Web Based Single Sign-On and Access Control

Single Sign-On for PCF. User's Guide

User Directories. Overview, Pros and Cons

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

OPENID CONNECT 101 WHITE PAPER

Building the Modern Research Data Portal using the Globus Platform. Rachana Ananthakrishnan GlobusWorld 2017

SAP Security in a Hybrid World. Kiran Kola

Identity and Data Access: OpenID & OAuth

Authentication & Authorization systems developed for CTA

Standards-based Secure Signon for Cloud and Native Mobile Agents

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

OAuth and OpenID Connect (IN PLAIN ENGLISH)

Technical Overview. Version March 2018 Author: Vittorio Bertola

Practical. David Recordon Brian Ellin

All about SAML End-to-end Tableau and OKTA integration

Eric Sachs Director of Product Management Identity, Google. Pam Dingle Senior Technical Architect Office of the CTO, Ping Identity

Tutorial: Building the Services Ecosystem

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Building the Modern Research Data Portal. Developer Tutorial

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

Web Security Model and Applications

NIELSEN API PORTAL USER REGISTRATION GUIDE

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

Authentication. Katarina

WSO2 Identity Management

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

Integrating with ClearPass HTTP APIs

ForgeRock Access Management Customization and APIs

Deploying OAuth with Cisco Collaboration Solution Release 12.0

Authentication Guide

MediaAUTH Draft Proposal

QCon - New York. New York 18th June 2012 (June 18th for Americans)

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

Salesforce External Identity Implementation Guide

Your Auth is open! Oversharing with OpenAuth & SAML

THE ESSENTIAL OAUTH PRIMER: UNDERSTANDING OAUTH FOR SECURING CLOUD APIS

Box Connector. Version 2.0. User Guide

Connect. explained. Vladimir Dzhuvinov. :

SAML-Based SSO Solution

Trusted identities for the cloud using open source technologies where Open ecard App meets SkIDentity

OpenID: From Geek to Chic. Greg Keegstra OpenID Summit Tokyo Dec 1, 2011

INDIGO-Datacloud Identity and Access Management Service

Introduction to SciTokens

OpenID Security Analysis and Evaluation

Container-Native Applications

SAP Single Sign-On 2.0 Overview Presentation

Liferay Security Features Overview. How Liferay Approaches Security

Using Twitter & Facebook API. INF5750/ Lecture 10 (Part II)

Advanced API Security

Salesforce External Identity Implementation Guide

Interagency Advisory Board Meeting Agenda, August 25, 2009

Cloud Access Manager Configuration Guide

Single Sign-On Best Practices

Consuming Office 365 REST API. Paolo Pialorsi PiaSys.com

Authentication. August 17, 2018 Version 9.4. For the most recent version of this document, visit our documentation website.

Real-world security analyses of OAuth 2.0 and OpenID Connect

User Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, September 25 th 2017

API Security Management SENTINET

HTTP Mutual authentication protocol proposal. Yutaka OIWA RCIS, AIST

Security Guide Zoom Video Communications Inc.

Administering Jive Mobile Apps for ios and Android

Salesforce External Identity Implementation Guide

HANDS-ON ACTIVITIES IDENTITY & ACCESS MANAGEMENT FEBRUARY, Hands-on Activities: Identity & Access Management 1

A Comprehensive Formal Security Analysis of OAuth 2.0

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Summer Salesforce.com, inc. All rights reserved.

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

ISACA Silicon Valley. APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems

The SciTokens Authorization Model: JSON Web Tokens & OAuth

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes

Unified Contact Center Enterprise (UCCE) Single Sign On (SSO) Certificates and Configuration

Configuration Guide - Single-Sign On for OneDesk

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

Securing APIs and Microservices with OAuth and OpenID Connect

Using OpenID/OAuth to access Federated Data Services

DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

The new SAP PI REST adapter Unveiled v1.0. SAPience TECH commission, Nov Dimitri Sannen SAP Solution Architect

Using OAuth 2.0 to Access ionbiz APIs

BlackBerry AtHoc Networked Crisis Communication. BlackBerry AtHoc API Quick Start Guide

GDPR, PSD2, CIAM, and the Role of User-Managed Access 2.0

SSO Integration Overview

Mobile Procurement REST API (MOBPROC): Access Tokens

Expertise that goes beyond experience.

Inland Revenue. Build Pack. Identity and Access Services. Date: 04/09/2017 Version: 1.5 IN CONFIDENCE

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

API Security Management with Sentinet SENTINET

Salesforce1 Mobile Security White Paper. Revised: April 2014

Single Sign on. Dr. Suchitra Suriya, H.O.D, MSc. (I.T) Department, Jain University, Bangalore-69, India.

SAML-Based SSO Solution

Transcription:

Authentication in the Cloud Stefan Seelmann

Agenda Use Cases View Points Existing Solutions Upcoming Solutions

Use Cases End user needs login to a site or service End user wants to share access to resources Users of enterprise A should use services of enterprise B Service C needs to access service D Service integration

End User End-User PoV I need to register to each site I want use I can't remember all usernames and passwords My preferred username is taken Login for each site I use Smooth services integration I won't be tracked

Site Owner Site Owner PoV We have to create another user management Registration, login mask, forgot password mess Storing passwords is a huge responsibility Less forms for users higher conversion rate We want to integrate other services Our service must not rely on external services

Identity Provider Identity Provider PoV Wants growing user base Track data to make money Make other depending on identity service

Existing Solutions Own User Management Username / password Federated Identity Management + SSO OpenID, SAML, Kerberos Login with Facebook, Login with Twitter Access to Resources OAuth, X.509, Basic Authentication

Username / Password + Basic Auth Pros: Site Owner End User Easy to implement and easy to understand No dependencies to external services Cons: Simple passwords, easy to crack Site Owner Same password for multiple services Disclosed to others When sent over unencrypted connections ftp://user23:w7xu1$mu@www.example.com/video.mov

OpenID Version 2.0 since 2007 Wants to solve the password problem Web Single Sign-On Decentral system Ad-hoc addition of RP and OP User-centric User selects provider s/he trusts. Or use your own. Delegation

OpenID Three Players End user with identifier (URI) Identity Provider (OP) Relying Party (RP) http://farm1.static.flickr.com/163/351494842_cd83fef2f5_o.jpg

OpenID Identifiers: http://exampleuser.livejournal.com/ https://www.google.com/accounts/o8/id?id=abc... Delegation http://www.my-domain.com <link rel="openid2.provider openid.server" href="http://www.livejournal.com/openid/server.bml"/> <link rel="openid2.local_id openid.delegate" href="http://exampleuser.livejournal.com/"/>

Pros: End User OpenID Single identifier, single sign-on Adoption? Site Owner Simple registration, attribute exchange Cons: OpenID provider may track you End User Hard to understand (URI as identifier, NASCAR) Doesn't work for mobile apps or JavaScript apps Dependency on external service At runtime; OpenID providers come and go Delegation Site Owner End User

SAML Flow similar to OpenID User, service provider (SP), identity provider (IdP) Trust between IdP and SP XML based Used in enterprise and educational environment Adoption Implementations: MS ADFS, Shibboleth Google Apps, Salesforge

OAuth Let user control 3rd party access to resources Especially to access REST-APIs Default example: photo printing service OAuth 1.0 (RFC 5849) Browser-based flow only Crypographic signatures Library needed OAuth 2.0 (draft 21) Flows for mobile and browser (JavaScript) apps Bearer tokens, SSL/TLS, short-living access tokens

OAuth 2.0 Four players: Resource owner Client (3rd party application) Authorization server (AS) Resource server (RS) with protected resources Tree steps: 1.Client registration (once per client) 2.Obtaining authorization (once per user) 3.Obtaining access token and access resource https://labs.ericsson.com/apis/oauth2-framework/files/webflow.png

OAuth 2.0 Client registration Once per client Establish client_id and client_secret Not specified, no protocol

OAuth 2.0 Obtaining authorization (access/refresh token) Authorization code Server-side webapp Implicit grant JavaScript app Access tokes in URI fragment Resource owner password credentials desktop or mobile app Client credentials if client is resource owner (2-legged)

OAuth 2.0 Obtaining access token and access resource No more user interaction required Client uses refresh token to obtain access token short-living Client uses access token to access resource resource server must validate access token, not specified

OAuth Adoption? Pros: End User No need to share credentials Separate access token for each 3rd party Cons: OAuth 1.0: complex, no support for apps Flows for mobile and desktop apps still sucks No specification of client registration, AS, RS Requires client registration Site Owner

Proprietary Stuff Sign in with Twitter Idea: only the user can allow access OAuth 1.0, registration required Login with Facebook https://graph.facebook.com/me?access_token=... OAuth2, registration required VZ* Login Janrain

Upcoming Solutions OpenID Connect Account Chooser BrowserID WebID

OpenID Connect Identity service on top of OAuth 2.0 Login + SSO + access to basic attributess Most big players are involved Google Facebook Microsoft Yahoo

Modular OpenID Connect

OpenID Connect Demo https://oauthssodemo.appspot.com

OpenID Connect Differences to OpenID 2.0 Basics are simpler Site Owner Attribute exchange (UserInfo endpoint) is built-in No cryptograhic signatures required HTTPS No library required HTTP parameters, JSON No more delegation Can be achieved through discovery No longer decentral End User Dynamic Client Registration is optional Optimized for big players User centric?

Account Chooser Invented by Google Transfer to OpenID Foundation in progress Spec: http://accountchooser.com/ Legacy compatibility (local user database) Protocol agnostic (OpenID, SAML, etc.) Demos https://account-chooser.appspot.com/ http://www.openidsamplestore.com/basic/

Account Chooser Prototype: Google Identity Tookit (GITkit) http://code.google.com/apis/identitytoolkit/index.html http://code.google.com/apis/identitytoolkit/v1/openid.html

BrowserID From Mozilla Labs Email is your identity You can verify its ownership Mail provider is primary identity authority Implementations: Today: HTML5 based (local storage) Future: natve built into browsers Demo: http://myfavoritebeer.org/ http://lloyd.io/how-browserid-works

WebID W3C draft Application of Semantic Web SSL certificate with pointer to WebID Profile WebID Profile is RDF

Summary Authentication If you want SSO you are trackable End User Site Owner Is dependency on external service acceptable? If you use Facebook of Twitter for login then upgrade to OpenID Connect API access OAuth is cool Site Owner

Resources OpenID Connect http://openid.net/connect/ OAuth 2 http://tools.ietf.org/html/draft-ietf-oauth-v2 Apache Amber (in incubation) Java implemention of OAuth 2.0 (draft 10) Potentially OpenID Connect http://incubator.apache.org/amber https://cwiki.apache.org/confluence/display/amber

Thanks for your attention

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback