Warm Up to Identity Protocol Soup

Similar documents
SAML-Based SSO Solution

SAML-Based SSO Solution

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Authentication in the Cloud. Stefan Seelmann

Your Auth is open! Oversharing with OpenAuth & SAML

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Authentication. Katarina

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Kerberos for the Web Current State and Leverage Points

SSO Integration Overview

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Identity-Enabled Web Services

OPENID CONNECT 101 WHITE PAPER

Slack Connector. Version 2.0. User Guide

Quick Connection Guide

Zendesk Connector. Version 2.0. User Guide

Identity Provider for SAP Single Sign-On and SAP Identity Management

OpenID Cloud Identity Connector. Version 1.3.x. User Guide

Configuration Guide - Single-Sign On for OneDesk

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

WSO2 Identity Management

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Access Management Handbook

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Udemy for Business SSO. Single Sign-On (SSO) capability for the UFB portal

Standards-based Secure Signon for Cloud and Native Mobile Agents

Morningstar ByAllAccounts SAML Connectivity Guide

Dropbox Connector. Version 2.0. User Guide

SAP Security in a Hybrid World. Kiran Kola

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Box Connector. Version 2.0. User Guide

All about SAML End-to-end Tableau and OKTA integration

THE SECURITY LEADER S GUIDE TO SSO

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

O365 Solutions. Three Phase Approach. Page 1 34

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

Configure Unsanctioned Device Access Control

Single Sign-On for PCF. User's Guide

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

Network Security Essentials

Quick Connection Guide

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

Liferay Security Features Overview. How Liferay Approaches Security

Implement SAML 2.0 SSO in WLS using IDM Federation Services

Oracle Access Manager Configuration Guide

Securing APIs and Microservices with OAuth and OpenID Connect

FEDERATED IDENTITY AT ARGONNE NATIONAL LABORATORY

CLI users are not listed on the Cisco Prime Collaboration User Management page.

CoreBlox Integration Kit. Version 2.2. User Guide

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

IBM InfoSphere Information Server Single Sign-On (SSO) by using SAML 2.0 and Tivoli Federated Identity Manager (TFIM)

Administering Jive Mobile Apps for ios and Android

Introducing Shibboleth. Sebastian Rieger

openid connect all the things

Manage SAML Single Sign-On

Authentication. August 17, 2018 Version 9.4. For the most recent version of this document, visit our documentation website.

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 12.0(1)

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes

Introduction to application management

IBM Fundamentals of Applying Tivoli Security and Compliance Management Solutions V2.

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

ISACA Silicon Valley. APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems

ForgeRock Access Management Customization and APIs

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

WebEx Connector. Version 2.0. User Guide

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

Single Sign-On Best Practices

Web Based Single Sign-On and Access Control

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Authentication Guide

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

CLI users are not listed on the Cisco Prime Collaboration User Management page.

DATAOPS.BARCELONA SIMPLIFYING IDENTITY MANAGEMENT WITH SSO TOOLS

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Summer Salesforce.com, inc. All rights reserved.

Webthority can provide single sign-on to web applications using one of the following authentication methods:

DESIGN OF WEB SERVICE SINGLE SIGN-ON BASED ON TICKET AND ASSERTION

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

SOFTWARE DEMONSTRATION

Sentinet for BizTalk Server SENTINET

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

API Gateway. Version 7.5.1

CA SiteMinder Federation

Version 7.x. Quick-Start Guide

AARC Blueprint Architecture

The Business of Identity: Business Drivers and Use Cases of Identity Web Services

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

SAP Single Sign-On 2.0 Overview Presentation

EXPERTS LIVE SUMMER NIGHT. Close your datacenter and give your users-wings

Transcription:

Warm Up to Identity Protocol Soup David Waite Principal Technical Architect 1

Topics What is Digital Identity? What are the different technologies? How are they useful? Where is this space going? 2

Digital Identity 3

Concepts Authentication / Authenticity Is this entity (person/machine) who they say 4

Concepts Attributes / Identity Information My name is David Waite I work for Ping Identity I ve been in the Identity Space for 10 years My email address is dwaite@pingidentity.com 5

Introductions Ping Identity Focused on Identity standards Enterprise and Consumer-oriented solutions On-site software (PingFederate) Identity as a Service offerings (PingOne) 6

Concepts Authorization What are the rules on who can do what Access Control Enforces whether you can or can t do something 7

Concepts The bundle of credentials, identifiers and attributes makes up the traditional idea of an Account The services which work by the same system of accounts and authorization make up a Security Domain 8

SAML / In the Beginning 9

Simple App Application DB Login Content 10

Less Simple App Application Login Content DB Self- Registration Password Recovery 11

Uh-Oh Application Application Login Content Login Content DB Self- Registration Self- Registration Password Recovery 12

Reality (Simplified) Application Application Login Content Login Content Self- Registration Self- Registration Password Recovery DB Application Application DB DB Login Content Login Content Self- Registration Password Recovery Self- Registration 13

Supportability Issues Multiple accounts Different usernames and passwords Varying support / recovery processes Hard to change Authorization policy Provisioning users is error-prone 14

Security Issues Users may retain access to systems Duplicated passwords and user info Lack of auditing Home-grown auth may be insecure Difficult to switch to multi-factor 15

Architectural impact Decomposing applications is hard Difficult to mash up APIs Data Silos Code for authz policy changes Rebuilding same components 16

Solution? Identity and Access Management Infrastructure shared by apps Centralized resources and management Examples: Use LDAP for account attributes Create groups representing authorizations rather than departments 17

Identity and Access Management Single Authentication Mechanism Transport: Client X.509, Kerberos Domain cookie w/app Server Plugin Authenticating Proxy in front of apps 18

Identity and Access Management Central Authorization Policy Set policy at HTTP resource level Responsible for Access Control at resource level 19

Drawbacks Time/TCO to retrofit existing apps High cost of infrastructure upgrades M&A often be a nightmare There are no standards huge amount of vendor lock-in. 20

Failings Not always possible to support COTS software 3rd Party / Hosted software 21

SAML 22

SAML Security Assertion Markup Language 1.0 in November 2002 2.0 in March 2005 Securely Assert Identity Information 23

SAML Roles Identity Provider (IDP) provides identity information Service Provider (SP) consumes identity information provides access to services 24

SAML Pieces Assertion XML document a signed and/or encrypted containing identity information 25

SAML Parts Protocol - messages built on assertions Binding - sending protocol over the wire Profile - combination to accomplish some use case 26

SAML Web SSO Most popular profile is Web Browser Single Sign-On Profile Use browser as a communication channel Authenticates browser that delivers the message 27

SAML Web SSO Bridges Accounts for the different Security Domains 28

SAML Used by Web Browser SSO Profile WS-* (as token) WS-Federation (as token) OAuth 2 (as authentication mechanism) 29

OpenID 30

OpenID Created by Brad Fitzpatrick in 2005 Came out of blogging space Don t want to manage accounts just to let people comment on blog posts Initially for Lower Assurance Dynamically Managed relationships 31

OpenID Your username is a URL Your login proves ownership Your identity/persona is that URL 32

OpenID - How it works Relying Party Similar role to SP, requests/relies on OpenID OpenID Provider Similar role to IDP, authenticates users 33

OpenID - How it works 1.User enters OpenID or selects OP at Relying Party* 2.RP figures out appropriate OP 3.Sends browser to OP so the user can prove who they are 4.OP sends authenticated user back to RP 34

Advantages User-Centric Identity user maintains control determines who sees what Can run infrastructure without coordination 35

Disadvantages Users do not understand URLs Hidden complexity in implementing Interoperability is poor Many sites are non-compliant Some sites require extensions 36

Recommendation Support specific partners/software Choose a mature product or library Hide OpenID from user Use a NASCAR page 37

OAuth 1 and 2 38

OAuth Negotiate/Represent Authorization for Apps Per-user Delegation of user access User participation in authorization policy 39

The Old Model* 40

The Old Model* 41

OAuth 1 Created in 2007 2-legged Server to Server 3-legged User authorization 42

OAuth 1 Flow User selects to add/authorize third party App sends user to third party site User authenticates with site if needed, indicates what the app is authorized for User is sent back to App with token 43

OAuth Benefits App access is limited App behaviors are auditable User makes their own policy decisions Users can revoke access to their data 44

OAuth 2 Removes complex signature requirement Must use SSL Resource access is simple Separate roles for resource protected, authorization service Adds new flows for new native client use 45

OAuth 1 vs 2 OAuth 1 is very pragmatic Hits two use cases Details them thoroughly with examples OAuth 2 is broad, extensible Pieces used to solve particular problem Do not recommend OAuth 1 for new projects 46

OAuth vs Web SSO OAuth is for authorization, not authentication Web SSO lets you know who the user is OAuth is permission to act for the user NOT a replacement for Web SSO 47

OAuth vs Web SSO OAuth does not give you User attributes Confirmation (that the user is present) Audience (this token was meant for you) 48

OpenID Connect 49

OpenID Connect In-process specification building on top of OAuth 2 Adds first-class identity information to protocol Supports additional use cases (hybrid client) 50

OpenID Connect New ID Token Normal Access token is for the resource, about the client application ID token is meant to be understood by the client, about the user 51

OpenID Connect Defines UserInfo service To get user attributes in a standard manner Has Simple discovery mechanism to authenticate by URL or email address Defines dynamic client support 52

OpenID Connect OpenID Connect provides a single way to securely support both Web SSO, and API access by native clients. 53

Closing 54

Closing Digital Identity is a broad topic representing the user authentication, attributes, and authorization policies for a domain Applications should not be their own security domains does not scale 55

Closing Web SSO is a way to bridge the gap in security domains SAML - Security Assertion Markup Language OpenID 56

Closing For native clients, the browser flow of Web SSO is not appropriate SOAP services have WS-* supports SAML tokens REST services have OAuth supports SAML tokens 57

Closing Going forward, OpenID Connect bridges Web SSO and API access. Supports authentication and authorization Previous protocols will stay in use 58

Questions? Ask me about: WS-Federation WS-Security/WS-Trust SCIM ID-FF/Shibboleth http://www.flickr.com/photos/horiavarlan/4273168957/ 59

Questions? Visit www.pingidentity.com or www.pingone.com for more information Email sales@pingidentity.com with questions Are you a SaaS company interested in getting started with PingOne for free? Contact us at sales@pingidentity.com to learn how! 60

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback