openid connect - how it solves enterprise problems

Nomura Research Institute

Cloud Identity Summit 2013

OpenID Connect:

How it solves your

problems

July 10, 2013

Nat SakimuraNomura Research InstituteChairman, The OpenID Foundation@_nat_enhttp://nat.sakimura.org/

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

B2E Identity

B2C IdentityG2C Identity

(source of pictures)Microsoft Office Online

G2E Identity

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

?"Why OpenID Connect is relevant for us enterprise? It's a consumer technology,

is it not?"

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

Not quite.

because I have very enterprizy background…

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

OpenID Connect

was built with Enterprise use in mind (as well as consumer use);

helps you build effective access governance over cloud services

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

QWhat are the de facto federation and account provisioning protocols?

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

Identity Federation

•SAML?

Account Provisionin

g•SPML?

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

No!

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

Identity Federation

•Password Sharing

Account Provisionin

g•Custom CSV

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

?Why did we fail?

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

Too complex to understand. cognitive difficulty -> Support difficulty

Different products did not interoperate.

A large Japanese manufacturer: ▪ > 3000 partners all around the world▪Many of them were working with multiple companies▪Tried to create a SAML federation but failed.

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

CSV is easy.

• Hey, you just need Excel! And you can manually edit them!

Password Sharing is

easy. • Hey, it works on any application that supports password!

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

Lots of (hidden) problems…

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

Anything that more than 3 people knows is not a secret!

Can easily get out of sync. Allowing manual edit is a risk. De-provisioning? Archiving? Are you getting audit trail of

the access to those systems?

etc…

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

#fail

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

Let’s re-do. This time, dead simple.

Yes, we are reinventing a wheel, but This time, it will be a little rounder.

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

OpenID Connect& SCIM

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

SAML v.s. OpenID Connect

SAML Web SSO OpenID ConnectXML JSONXML Dsig JSON Web Signature

(JWS)XML Encryption JSON Web Encryption

(JWE)SAML JSON Web TokenSAML Assertion ID Token (OIDC)SOAP (mostly…) RESTSAML Web SSO Profile Standard (=OAuth 2.0

binding)SPML SCIM

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

identity set of attributes related to an entity

ISO/IEC 29115 | ITU-T X.1254

Note: distinguish identity and identifier carefully.

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

An example of simplistic enterprise “identity”

Employee number: A12349898

Name: John Smith

Position: General Manager

Department: Finance

Company: ABCD Holding

Location: NYHQ

Datetime: 29130809T12:34:11Z

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

Employee number: A12349898

Name: John Smith

Position: General Manager

Department: Finance

Company: ABCD Holding

Location: NYHQ

Datetime: 29130809T12:34:11Z

logging

User interface

Access Controlinfo

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

Real Name

Professionalqualification

department

Geo-location

Employee number

Entity Identity Resource

Authentication

Policy Enforcement

Rules

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

ABAC

Based on SP800-162 figure on page viii

identityResource

Rules

entity

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

Real Name

Professionalqualification

department

Geo-location

Employee number

Entity IdentityResource

Authentication PEP

PDP

PAP

Boss Metadata

Log Log

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

Requirements

R1

•Access Control MUST be done with the dynamic attributes

R2

•Identity MUST be provided from the authoritative source

R3

•Need to be able to provide flexible security.

R4

•Need to be dead simple.

R5

•Interoperability is the king.

R6

•Limited connection (esp. mobile) ready.

R7

•Unified technology for enterprise and consumer.

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

Real Name

Professionalqualification

department

Geo-location

Employee number

Entity IdentityResource

Authentication PEP

PDP

PAP

Boss Metadata

Log Log

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

Deployment Experiencesof OpenID Connect

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

What kind of deployment have we done?

Windows Domain integration

SMTP/IMAP/SSH & OpenID Connect

A large provider integration

Privacy Proxy

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

Windows Domain Integration

AD

ConnectServer

AccessLog

Service

Service

Service

Service

Registration

Discovery

HR System

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

Easy to implement • Building was easy;• Deployment was easy partly because

you can “provision” the linked accounts; Nice user experience for enterprise users• No login dialogues; Leverage on

Windows Logon;• No consent – as it is administered by the

admin, and it is following privacy rules;• Help Avoid “Pavlov’s Dog Problem”

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research InstituteTurning Internet Dog to Pavlov’s Dog

32

Click!Click!

Click!

Click!

Click!

Click! Click!

(Source) Based on IIW dog

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

?But what about other protocols?

SMTP / IMAP / SSH etc.

Application Passwords …

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

PAM Module for OpenID Connect

SMTP

IMAP

SSH

PAM

OIDCPlugin

OpenID ConnectServer

Thunderbrid

WebBrows

er

Token

Toke

n as

Pas

swor

dToken as Password

Token IntrospectionTo

ken as

Pass

word

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

Make sure to follow verification rules

• Some implementation were bitten by not following MUSTs.Never send an access token without

accompanying ID Token to any other clients. • Otherwise, you will be subject to token swap attack. • http://www.thread-safe.com/2012/01/problem-with-oauth

-for-authentication.html

Care should be taken for “code” and “token” server-side verification• Maybe not so acute in most enterprise deployment, but

in one of the consumer solution that we help run, it is doing 2000 tr/sec

© 2013 by Nomura Research Institute. All rights reserved.

Nomura Research Institute

36