cis14: implementing mitreid

The  story  of  MITREid  

Jus3n  Richer  The  MITRE  Corpora3on  

© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release: Distribution Unlimited (Case Number: 14-1639)

The  plight  of  a  so;ware  developer  •  I  build  things  that  people  use  •  I  want  to  know  who’s  there  

•  What  can  I  do?  

1.  Make  local  accounts  

1.  Make  local  accounts  

1.  Make  local  accounts  

2.  Use  LDAP  

2.  Use  LDAP  

3.  Use  Enterprise  SSO  

3.  Use  Enterprise  SSO  

3.  Use  Enterprise  SSO  

Firewall

Intranet

Internet

What  to  do?  

Give  people  a  digital  iden3ty  

Let’s  build  something  •  OpenID  2.0  Server  •  Running  on  corporate  IT  hardware  in  corporate  IT  environment  

•  Backed  by  corporate  SSO  and  user  profile  informa3on  

•  “We  do  SSO  so  you  don’t  have  to”  

Why  OpenID?  •  Open  standard  protocol  •  Network-­‐based  federa3on  •  User-­‐driven  trust  model  •  Simple  to  use  and  develop  

Make  it  easy  for  developers:  PlaXorm  support  

•  Libraries:  –  Java  –  PHP  –  Python  –  Javascript  –  Ruby  –  Perl  –  …  

•  PlaXorms  &  Plugins:  –  Spring  Security  –  Elgg  –  Wordpress  –  Mediawiki  –  Omniauth  –  Drupal  –  …  

Usage  Profile:  The  prototype  

Firewall

Intranet

Internet

OpenID Server SSO

Usage  Profile:  The  external  service  

Firewall

Intranet

Internet

OpenID Server

SSO  

User  Profiles:  The  mobile  user  

Firewall

Intranet

Internet

OpenID Server 2FA  

The  architecture  

Firewall

User Profiles

Shared Database

Internal OP

External OP

Intranet

Internet Two-­‐Factor  Authn  Corporate  SSO  

Run3me  security  decisions  

Adop3on  by  the  extended  enterprise  

The  Long  Tail  

1  

10  

100  

1000  

10000  

We  didn’t  even  plan  this  

Mul3ple  types  of  user  

Moving  on  from  OpenID  2.0  

Let’s  build  it  (again)!  •  OAuth  2.0  and  OpenID  Connect  server  •  OpenID  Connect  client  library  •  Enterprise-­‐friendly  features  and  plaXorm  •  Flexible  deployment  

and...  

Open  Source  

We’re  running  it  ourselves  

Building  the  specifica3ons  

Moving  toward  federa3on  across  the  extended  enterprise  

Beaer  security:  Separa3on  

OpenID Provider

Delega3ng  services:  OAuth  

OpenID Provider

Beaer  security:  Revoca3on  

Easier  integra3on  by  developers  

OpenID Provider •  Standard  

•  Agile  •  Flexible  •  Distributed  

•  Proprietary  •  Fragile  •  Rigid  •  Centralized  

Beaer  administra3on:    An  abstrac3on  layer  

OpenID Provider

Scalable  security  decisions  Whitelist

Trusted partners, business contracts, customer organizations, trust frameworks

Graylist User-based trust decisions

Follow Trust on First Use model, keep logs

Blacklist Very bad sites we don’t want to deal with, ever

Organiza

3ons  

decide

 these   End-­‐users    

decide  these  

Conclusions  •  Use  open  standards  •  Give  your  people  digital  iden33es  and  let  them  decide  where  to  use  them  

•  Use  federa3on  where  possible  

Ques3ons?  

jricher@mitre.org