cis14: implementing mitreid
DESCRIPTION
Justin Richer, The MITRE Corporation A report on MITRE’s MITREid platform, which allows thousands of active users to access hundreds of relying parties inside and outside the company; how and why we built MITREid and why we see the promotion of external identities as an important pattern for enterprise organizations.TRANSCRIPT
The story of MITREid
Jus3n Richer The MITRE Corpora3on
© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release: Distribution Unlimited (Case Number: 14-1639)
The plight of a so;ware developer • I build things that people use • I want to know who’s there
• What can I do?
1. Make local accounts
1. Make local accounts
1. Make local accounts
2. Use LDAP
2. Use LDAP
3. Use Enterprise SSO
3. Use Enterprise SSO
3. Use Enterprise SSO
Firewall
Intranet
Internet
What to do?
Give people a digital iden3ty
Let’s build something • OpenID 2.0 Server • Running on corporate IT hardware in corporate IT environment
• Backed by corporate SSO and user profile informa3on
• “We do SSO so you don’t have to”
Why OpenID? • Open standard protocol • Network-‐based federa3on • User-‐driven trust model • Simple to use and develop
Make it easy for developers: PlaXorm support
• Libraries: – Java – PHP – Python – Javascript – Ruby – Perl – …
• PlaXorms & Plugins: – Spring Security – Elgg – Wordpress – Mediawiki – Omniauth – Drupal – …
Usage Profile: The prototype
Firewall
Intranet
Internet
OpenID Server SSO
Usage Profile: The external service
Firewall
Intranet
Internet
OpenID Server
SSO
User Profiles: The mobile user
Firewall
Intranet
Internet
OpenID Server 2FA
The architecture
Firewall
User Profiles
Shared Database
Internal OP
External OP
Intranet
Internet Two-‐Factor Authn Corporate SSO
Run3me security decisions
Adop3on by the extended enterprise
The Long Tail
1
10
100
1000
10000
We didn’t even plan this
Mul3ple types of user
Moving on from OpenID 2.0
Let’s build it (again)! • OAuth 2.0 and OpenID Connect server • OpenID Connect client library • Enterprise-‐friendly features and plaXorm • Flexible deployment
and...
Open Source
We’re running it ourselves
Building the specifica3ons
Moving toward federa3on across the extended enterprise
Beaer security: Separa3on
OpenID Provider
Delega3ng services: OAuth
OpenID Provider
Beaer security: Revoca3on
Easier integra3on by developers
OpenID Provider • Standard
• Agile • Flexible • Distributed
• Proprietary • Fragile • Rigid • Centralized
Beaer administra3on: An abstrac3on layer
OpenID Provider
Scalable security decisions Whitelist
Trusted partners, business contracts, customer organizations, trust frameworks
Graylist User-based trust decisions
Follow Trust on First Use model, keep logs
Blacklist Very bad sites we don’t want to deal with, ever
Organiza
3ons
decide
these End-‐users
decide these
Conclusions • Use open standards • Give your people digital iden33es and let them decide where to use them
• Use federa3on where possible
Ques3ons?