CIS13: OpenID Connect: How it Solves your Problems
-
Upload
cloudidsummit -
Category
Technology
-
view
728 -
download
0
description
Transcript of CIS13: OpenID Connect: How it Solves your Problems
Nomura Research Institute
Cloud Identity Summit 2013
OpenID Connect: How it solves your problems
July 10, 2013 Nat Sakimura Nomura Research Institute Chairman, The OpenID Foundation
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
B2E Identity
B2C Identity G2C Identity
(source of pictures)Microsoft Office Online
G2E Identity
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
? "Why OpenID Connect is relevant for us enterprise?
It's a consumer technology, is it not?"
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Not quite.
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
OpenID Connect was
built Enterprise use in mind (as
well as consumer use);
OpenID Connect helps
you build effective access
governance over cloud services
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Q What are the de facto federation and account provisioning
protocols?
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Identity Federation
• agreement between two or more domains (3.2.3) specifying how identity information (3.2.4) will be exchanged and managed for cross-domain identification (3.2.1) purposes [iSO/IEC 24760-1]
Account Provisioning
• process of creating an account at the service for the user
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Identity Federation
• SAML?
Account Provisioning
• SPML?
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Identity Federation
• Password Sharing
Account Provisioning
• Custom CSV
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Q Why did we fail?
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
n Too complex to understand. l cognitive difficulty -> Support difficulty
n Different products do not interoperate.
n A large Japanese manufacturer: l > 3000 partners all around the world l Some are quite small l Tried to do SAML
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
CSV is easy.
• Hey, you just need Excel! And you can manually edit them!
Password Sharing is easy.
• Hey, it works on any application that supports password!
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Lots of (hidden) problems…
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
n Anything that more than 3 people knows is not a secret! n Can easily get out of sync. n De-provisioning? Archiving? n Are you getting audit trailing the access to those systems? n Etc.
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Let’s re-do. This time, dead simple.
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
OpenID Connect & SCIM
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
identity set of attributes related to an entity
ISO/IEC 29115 | ITU-T X.1254
Note: distinguish identity and identifier carefully.
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
An example of simplistic enterprise “identity”
Employee number: A12349898 Name: John Smith Position: General Manager Department: Finance Company: ABCD Holding Location: NYHQ Datetime: 29130809T12:34:11Z
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Employee number: A12349898 Name: John Smith Position: General Manager Department: Finance Company: ABCD Holding Location: NYHQ Datetime: 29130809T12:34:11Z
logging
User interface
Access Control info
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Account Role PEP Resource
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Identity PEP Resource
Rules
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Based on SP800-162 figure on page viii
identity Resource
Rules
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
R1 • Access Control MUST be done with the dynamic attributes
R2 • Identity MUST be provided from the authoritative source
R3 • Need to be able to provide flexible security.
R4 • Need to be dead simple.
R5 • Interoperability is the king.
R6 • Limited connection (esp. mobile) ready.
R7 • Unified technology for enterprise and consumer.
R8 • Privacy Enhancing and voluntary
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Let’s re-do. This time, dead simple.
Yes, we are reinventing a wheel, but This time, it will be a little rounder.
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
SAML v.s. OpenID Connect
SAML Web SSO OpenID Connect XML JSON XML Dsig JSON Web Signature (JWS) XML Encryption JSON Web Encryption (JWE) SAML JSON Web Token SAML Assertion ID Token (OIDC) SOAP (mostly…) REST SAML Web SSO Profile Standard (=OAuth 2.0
binding) SPML SCIM
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
OpenID Foundation Japan’s Enterprise Identity WG
Egawa-san!
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Deployment Experiences of OpenID Connect
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Easy to implement
• Good!
Nice user experience for enterprise users • No login dialogues – just depend on AD. • NRI has built an IIS plugin that works as OIDC
server over implicit flow.
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Make sure to follow verification rules
• Some implementation were bitten by not following MUSTs.
Never send an access token without accompanying ID Token to any other clients.
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Care should be taken for “code” and “token” server-side verification • It will be bottlenecks in performance. • Make them as stateless as possible.
• Depending on the risk profile, it may not need to re-check and just verify them locally.
• Use memory db for revocation list.
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Big Picture ~ Transient Situation
AD Etc.
Connect Server
Access Log
Service
Service
Service