cis13: identity at scale
DESCRIPTION
Hans Zandbelt, Technical Architect, Ping Identity As the numbers and types of applications, devices and users grow, enterprise businesses face scalability challenges in dealing with Identity and Access Management (IAM) and federated Single Sign On (SSO) across web, mobile, enterprise and cloud environments. This session analyzes major issues that impact IAM and SSO scalability and explores possible approaches to address these issues. Topics include: · Trends and drivers for next generation identity and access management · A bird's eye view of new standards for IAM across web and mobile · Approaches for managing federated SSO on an Internet scaleTRANSCRIPT
Copyright ©2013 Ping Identity Corporation. All rights reserved. 1
Identity at Scale
Hans Zandbelt CTO Office – Ping Identity
CIS 2013
Copyright ©2013 Ping Identity Corporation. All rights reserved. 2
• Trends and Standards • Identity at Scale • Recommendations
Contents
Copyright ©2013 Ping Identity Corporation. All rights reserved. 3
Trends
• Cloud (SaaS), Mobile, Social – Authentication:
SAML -> +OpenID Connect
• Web -> API – Core business:
information and data, not presentation
• Internet of Things • Mutual authentication?
– controlling other cars, toasters, lightbulbs
Copyright ©2013 Ping Identity Corporation. All rights reserved. 4
• Standards – Interoperability: need to deal with another vendor’s API/
product? Not an app for every thing in the IoT! – cross-domain – competition, replaceable implementations, leading to good
but cheap products?
• APIs – Light-weight, SOAP -> REST/OAuth 2.0
• Web SSO – Enterprise/Customer Identity, Consumer Identity – SAML -> OpenID Connect : scale?
• OpenID Connect – Simplicity for clients/RPs -> complexity shifted to the OP
Standards (the nice thing is…)
Copyright ©2013 Ping Identity Corporation. All rights reserved. 5
IDENTITY AT SCALE
Copyright ©2013 Ping Identity Corporation. All rights reserved. 6
1-1 Federated Identity Today
• Increase of Cloud/SaaS adoption – # federated SSO
applications (SAML) – # partner connections – # connection
management overhead (*)
• But(!) also for “incidental”
connections – How to obtain updates
• Authoritative source -> trust
• Infrastructure: authenticated source (e-mail…)
– How to configure them • Automated • Managed,
outsourced
IDP
IDP
IDP
SP
SP
SP
Copyright ©2013 Ping Identity Corporation. All rights reserved. 7
• Metadata related (not so standard for other-than-SAML protocols) – key material – SSO service URLs – point of contact
• Attributes – could be metadata, often isn’t – may be bilateral (!) – required/optional, consent
• Policies – contractual agreements – privacy
• End-user/application/SSO related – how users can sign in (relation to service URLs) – change in look and feel – change in functionality
(*) Connection Management
<md>
Copyright ©2013 Ping Identity Corporation. All rights reserved. 8
Metadata - SAML 2.0
• Technical Trust
• X.509 Certificate – Anchored vs.
unanchored – Key vs. other cert
info
• URLs/Bindings
• Contact info – Company name,
admin/tech contact
<md:EntityDescriptor! xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"! xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"! xmlns:ds="http://www.w3.org/2000/09/xmldsig#"! entityID="https://idp.example.org/SAML2">!! <!-- insert ds:Signature element -->!! <md:IDPSSODescriptor! protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">!! <md:KeyDescriptor use="signing">! <ds:KeyInfo>…</ds:KeyInfo>! </md:KeyDescriptor>!! <md:SingleSignOnService! Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"! Location="https://idp.example.org/SAML2/SSO/POST"/>! <md:SingleSignOnService! Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"! Location="https://idp.example.org/SAML2/Artifact"/>!! </md:IDPSSODescriptor>!! <md:Organization>! <md:OrganizationName xml:lang="en">! SAML Identity Provider ! </md:OrganizationName>! <md:OrganizationURL xml:lang="en">! http://www.idp.example.org/! </md:OrganizationURL>! </md:Organization>!! <md:ContactPerson contactType="technical">! <md:SurName>SAML IdP Support</md:SurName>! <md:EmailAddress>mailto:[email protected]</md:EmailAddress>! </md:ContactPerson>!!</md:EntityDescriptor>!
Copyright ©2013 Ping Identity Corporation. All rights reserved. 9
Connection Management Metadata/Technical Issues
• Conn Mgmt often a one-shot process (cq. a snapshot)
• Certificate expiry and update
• Contact info update • URL and binding
updates • Changes in IDP
discovery process
• Metadata documents can contribute to the solution, but how to scale exchange?
Key Rollover
Contact Info
Bindings & URLs
Copyright ©2013 Ping Identity Corporation. All rights reserved. 10
Contrary to popular belief:
The connection management problem is NOT specific to SAML; any federated authentication
system deployed on true internet scale will have to address this issue.
So: any solution should be protocol agnostic.
BE AWARE
Copyright ©2013 Ping Identity Corporation. All rights reserved. 11
TOWARDS A SOLUTION What can we do?
Copyright ©2013 Ping Identity Corporation. All rights reserved. 12
Solution Approach (n=2): Shared Conn. Mgmt.
• Single/central/shared point of connection management (trust)
• Trusted 3rd party – From: user trust
scale through 2nd party to SP/IDP trust through 3rd-party
• Compares to TLS and
a Certificate Authority or DNS
• Challenge – How to create a
trusted channel
Shared Service
IDP
IDP
IDP
SP
SP
SP
Copyright ©2013 Ping Identity Corporation. All rights reserved. 13
A shared service… where does it apply?
• intra-enterprise – large distributed
organizations, both infrastructure and responsibilities/trust (acquisitions and mergers)
– connect multiple applications to a variety of externals & internals; “user access firewall”
• inter-enterprise – verticals: healthcare,
automotive, banking/financial, education but also "cross e-Gov”
– homogeneous(!) group with shared interest/organization
IDP SP
IDP SP
IDP SP
IDP SP
Copyright ©2013 Ping Identity Corporation. All rights reserved. 14
A Next Step In Architecture Evolution…
Application Server
App 1
Fed Fed Fed
App 2 App 3
App Server or Access System
App 1
Federation
App 2 App 3
App Server
App 1
Federation Server
App 2 App 3
App Server
App Srv
App 1
Fed Server
App 2
App Srv
Connection Management
App Server
App 3
Fed Fed
App 4 1
2 3
4
Copyright ©2013 Ping Identity Corporation. All rights reserved. 15
Solution 1: Proxy
• Indirect peer-to-peer communication
• Trust proxy only, relay to peers, inband
• Shift the metadata problem to a central facility: no distr. mgmt
• Technical trust may be combined with organizational trust
• Connection Mgmt – MxN -> M+N
• Accommodate for diff SAML implementations
• Protocol translations are possible
Operator
IDP
IDP
IDP
SP
SP
SP
SAML Proxy SP-IDP
SAML
Copyright ©2013 Ping Identity Corporation. All rights reserved. 16
Benefits
• Scalability of trust – Technical: single
connection to proxy, central management of partner connections
– Organizational: trust in proxy operator
• Updates – outsourced to the
proxy; proxy to solve…
• Discovery & Autoconf – Outsourced to the
proxy; proxy to solve…
Centralized Trust Mgmt
Updates
Discovery & Autoconf
Copyright ©2013 Ping Identity Corporation. All rights reserved. 17
Solution 2: Metadata Service
• aka. multi-party federation
• Higher Education & Research – InCommon, UK
Access Federation – 40+ across the world
• Business Verticals – Healthcare – Finance – e-Gov
• Async technical trust • Sync direct peer-to-
peer communication • Metadata upload (!)
Federation Operator
IDP
IDP
IDP
SP
SP
SP SAML
Metadata
Copyright ©2013 Ping Identity Corporation. All rights reserved. 18
Distribution variants (SAML 2.0 metadata)
• Flat file based (classic) – > 10 Mb files for large
federations (EntitiesDescriptor)
• Query-based (MDX) • Well known location for
metadata – EntityID-is-URL-to-
Metadata – SAML auto-connect
(Ping Identity) • DNS based (registry)
• Trust 1. signed metadata 2. trusted registry 3. SSL CA
IDP SP IDP SP
IDP SP IDP SP
IDP
IDP
DNS
IDP
DNS
1 2 3
Copyright ©2013 Ping Identity Corporation. All rights reserved. 19
Metadata Expiry (!)
• Attributes on Entity and Entities level: validUntil and cacheDuration
• On EntitiesDescriptor and EntityDescriptor level
• use only validUntil to enforce expiration
• use cacheDuration to override (downward) the refresh interval
• keep using (valid) metadata if the refresh fails
d!
t1!
t1+d!
t1+2d!
v=t2!
t2+d!
t2+2d!
d = cacheDuration (interval)!v = validUntil (timestamp)!
d!
Copyright ©2013 Ping Identity Corporation. All rights reserved. 20
Benefits
• Scalability of trust – Technical: removes
need to exchange metadata on peer-to-peer basis
– Organizational: federation operator does IDP and SP vetting through contractual agreements
• Key rollover – Include multiple
signing keys for a <validUntil> period
• Discovery and auto-configuration – Building block…
Scalability of Trust
Key Rollover
Discovery & Autoconf
Copyright ©2013 Ping Identity Corporation. All rights reserved. 21
Metadata Service layering: interfederation
Interfederation Operator
IDP
IDP
SP
SP
IDP
IDP
SP
SP
Metadata Metadata
Aggregated Metadata
Copyright ©2013 Ping Identity Corporation. All rights reserved. 22
• MDUI – SAML version 2.0 Metadata Extensions for Login and
Discovery User interface, version 1.0 • Entity attributes
– SAML V2.0 Metadata Extension for Entity Attributes Version 1.0
– Generic extension point • Signed Entity Attributes
– Single source of metadata, support multiple trust levels or hierarchies
• Other protocols – SAML 1.0, SAML 1.1 – WS-Federation (ADFS 2.0) – OpenID 2.0 – OpenID Connect (?) -> independent registry or attr
SAML 2.0 Metadata extensions
Copyright ©2013 Ping Identity Corporation. All rights reserved. 23
Taxonomy + Examples
External
Internal
Model Proxy Metadata
IDMaaS (PingOne)
Federation (InCommon)
Proxy (PingFed`)
“Metadata Server”
Deployment
Copyright ©2013 Ping Identity Corporation. All rights reserved. 24
• Proxy – PingOne – wayf.dk
• Metadata Service – InCommon – UK Access Federation
Any SAML product implementation today may or not support one or both models, in the core or through customizations.
Solution Examples for SAML 2.0
Copyright ©2013 Ping Identity Corporation. All rights reserved. 25
OpenID Connect Metadata (OP and RP)
• Metadata and key material separated
• Use HTTP cache info for the JWK set (optional)
• Multiple keys with “kids” – JIT: client
fetches kid if unknown
• Client updates keys with OP through DynReg
OP RP
JWK set
metadata
JWK set
metadata
Metadata Service
Dynamic Client
Registration
Copyright ©2013 Ping Identity Corporation. All rights reserved. 26
RECOMMENDATIONS
Copyright ©2013 Ping Identity Corporation. All rights reserved. 27
• The problem is not protocol specific (!) – Any solution should be multi-protocol enabled or
rather protocol agnostic • A shared service, two possible approaches
– Metadata Service (“automate”) or Proxy (“outsource”)
• True Internet scale? Expect combinations (!) – Local/enterprise/community: proxy based – Protocol Translation: proxy – Global: (interconnected) metadata service based
Recommendations
Copyright ©2013 Ping Identity Corporation. All rights reserved. 28
• Registration and publishing service for “endpoint” metadata – Multi-protocol: both SAML 2.0 and OpenID Connect
(OPs) • Technical Trust
– authenticated, trusted source • Discovery
– multiple entities on a single OIDC domain – Entities that cannot or will not host their own metadata – Replace well-known URL starting point
• Validation • Certification
Metadata Service
Copyright ©2013 Ping Identity Corporation. All rights reserved. 29
Future? Not so much!
• Identity is/as KEY – not just users, but
also devices and applications
• Unified access policy implementation across web and APIs/Mobile – Based on identity
• Enterprise: – Single System ->
Identity Bridge • Identity Bridge
– Bridge external SAML and OpenID Connect to internal OpenID Connect (both ends standardized)
Copyright ©2013 Ping Identity Corporation. All rights reserved. 30
Thank You
Q&A @hanszandbelt
Ping Identity