OpenID Connect - how it solves enterprise problems

Nomura Research Institute

Cloud Identity Summit 2013

OpenID Connect:

How it solves your

problems

July 10, 2013

Nat SakimuraNomura Research InstituteChairman, The OpenID Foundation@_nat_enhttp://nat.sakimura.org/

© 2013 by Nomura Research Institute. All rights reserved.


B2E Identity

B2C IdentityG2C Identity

(source of pictures)Microsoft Office Online

G2E Identity



?"Why OpenID Connect is relevant for us enterprise? It's a consumer technology,

is it not?"



Not quite.

because I have very enterprizy background…



OpenID Connect

was built with Enterprise use in mind (as well as consumer use);

helps you build effective access governance over cloud services



QWhat are the de facto federation and account provisioning protocols?



Identity Federation

•SAML?

Account Provisionin

g•SPML?



No!



Identity Federation

•Password Sharing

Account Provisionin

g•Custom CSV



?Why did we fail?



Too complex to understand. cognitive difficulty -> Support difficulty

Different products did not interoperate.

A large Japanese manufacturer: ▪ > 3000 partners all around the world▪Many of them were working with multiple companies▪Tried to create a SAML federation but failed.



CSV is easy.

• Hey, you just need Excel! And you can manually edit them!

Password Sharing is

easy. • Hey, it works on any application that supports password!



Lots of (hidden) problems…



Anything that more than 3 people knows is not a secret!

Can easily get out of sync. Allowing manual edit is a risk. De-provisioning? Archiving? Are you getting audit trail of

the access to those systems?

etc…



#fail



Let’s re-do. This time, dead simple.

Yes, we are reinventing a wheel, but This time, it will be a little rounder.



OpenID Connect& SCIM



SAML v.s. OpenID Connect

SAML Web SSO OpenID ConnectXML JSONXML Dsig JSON Web Signature

(JWS)XML Encryption JSON Web Encryption

(JWE)SAML JSON Web TokenSAML Assertion ID Token (OIDC)SOAP (mostly…) RESTSAML Web SSO Profile Standard (=OAuth 2.0

binding)SPML SCIM



identity set of attributes related to an entity

ISO/IEC 29115 | ITU-T X.1254

Note: distinguish identity and identifier carefully.



An example of simplistic enterprise “identity”

Employee number: A12349898

Name: John Smith

Position: General Manager

Department: Finance

Company: ABCD Holding

Location: NYHQ

Datetime: 29130809T12:34:11Z



Employee number: A12349898

Name: John Smith

Position: General Manager

Department: Finance

Company: ABCD Holding

Location: NYHQ

Datetime: 29130809T12:34:11Z

logging

User interface

Access Controlinfo



Real Name

Professionalqualification

department

Geo-location

Employee number

Entity Identity Resource

Authentication

Policy Enforcement

Rules



ABAC

Based on SP800-162 figure on page viii

identityResource

Rules

entity



Real Name


department

Geo-location

Employee number

Entity IdentityResource

Authentication PEP

PDP

PAP

Boss Metadata

Log Log



Requirements

R1

•Access Control MUST be done with the dynamic attributes

R2

•Identity MUST be provided from the authoritative source

R3

•Need to be able to provide flexible security.

R4

•Need to be dead simple.

R5

•Interoperability is the king.

R6

•Limited connection (esp. mobile) ready.

R7

•Unified technology for enterprise and consumer.



Real Name


department

Geo-location

Employee number

Entity IdentityResource

Authentication PEP

PDP

PAP

Boss Metadata

Log Log



Deployment Experiencesof OpenID Connect



What kind of deployment have we done?

Windows Domain integration

SMTP/IMAP/SSH & OpenID Connect

A large provider integration

Privacy Proxy



Windows Domain Integration

AD

ConnectServer

AccessLog

Service

Service

Service

Service

Registration

Discovery

HR System



Easy to implement • Building was easy;• Deployment was easy partly because

you can “provision” the linked accounts; Nice user experience for enterprise users• No login dialogues; Leverage on

Windows Logon;• No consent – as it is administered by the

admin, and it is following privacy rules;• Help Avoid “Pavlov’s Dog Problem”


Nomura Research InstituteTurning Internet Dog to Pavlov’s Dog

32

Click!Click!

Click!

Click!

Click!

Click! Click!

(Source) Based on IIW dog



?But what about other protocols?

SMTP / IMAP / SSH etc.

Application Passwords …



PAM Module for OpenID Connect

SMTP

IMAP

SSH

PAM

OIDCPlugin

OpenID ConnectServer

Thunderbrid

WebBrows

er

Token

Toke

n as

Pas

swor

dToken as Password

Token IntrospectionTo

ken as

Pass

word



Make sure to follow verification rules

• Some implementation were bitten by not following MUSTs.Never send an access token without

accompanying ID Token to any other clients. • Otherwise, you will be subject to token swap attack. • http://www.thread-safe.com/2012/01/problem-with-oauth

-for-authentication.html

Care should be taken for “code” and “token” server-side verification• Maybe not so acute in most enterprise deployment, but

in one of the consumer solution that we help run, it is doing 2000 tr/sec

http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html

http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html



36

OpenID Connect - how it solves enterprise problems

Technology

Transcript of OpenID Connect - how it solves enterprise problems