Download - John Bradley, Ping Identity @ve7jtb
![Page 1: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/1.jpg)
John Bradley, Ping Identity@ve7jtb
Synergiesor (hey you got SAML on my OAuth!)
![Page 2: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/2.jpg)
SAML
JWT
OpenID
SCIM OAuth
UMA
![Page 3: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/3.jpg)
Double-click to enter title
Double-click to enter text
![Page 4: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/4.jpg)
SAML
JWT
OpenID
SCIM OAuth
UMA
![Page 5: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/5.jpg)
OpenID & JWT & OAuth
•OpenID Connect profiles/extends OAuth & JWT• Adds identity layer on top of OAuth 2.0• Stipulates use of JWT for 'identity tokens'
•Reflects harmonization of competing proposals (vNext, Connect, AB) for evolution of OpenID 2.0•Enables higher LOA by allowing for assertions to flow through back-channel a la artifact or via signing and encryption
![Page 6: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/6.jpg)
OpenID & JWT & OAuth
•Whereas OAuth is a general mechanism to authorize API access, OpenID Connect profiles the generic for purposes of sharing profile information•Uses the authz code & code grant types – the pieces of OAuth optimized for user-consent scenarios•Leverages the authorization & token endpoints & adds identity-based params to core OAuth messages
![Page 7: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/7.jpg)
• Authorization Endpoint: Client sends a request to the Server at the Authorization endpoint. Server authenticates the End-User. After authorization, Server returns an Authorization Code.
• Token Endpoint: The Client sends the Access Token Request to the Token Endpoint to obtain Access Token Response which includes an access_token.
• UserInfo Endpoint: The access_token MAY be sent to the UserInfo Endpoint to obtain user information/assertion/claims about the user
• The ID Token, aggregated claims, distributed claims and Session Management.
As in OAuth 2
As in Facebook Connect
New
OpenID & JWT & OAuth
![Page 8: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/8.jpg)
SAML
JWT
OpenID
SCIM OAuth
UMA
![Page 9: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/9.jpg)
SAML & OAuth
SAML OAuth
OAuth SAML
SAML OAuth
'Hybrid' – carry OAuth tokenin SAML SSO messages
'Assertion profile' useSAML assertions within OAuth flow
'Sequencing' – use SAML SSOTo authenticate user to AS
![Page 10: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/10.jpg)
SAML
JWT
OpenID
SCIM OAuth
UMA
![Page 11: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/11.jpg)
SCIM & SAML
• SAML binding for SCIM• Carry SCIM instance as attributes in SAML
SSO message• Enables JIT provisioning• Supplements SCIM API model
• SCIM API messages to provision accounts for subsequent SAML SSO
![Page 12: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/12.jpg)
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:scim="http://placeholder.scim.org/2011/schema/extension"><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:unspecified" Name="SCIM.userName"> <saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">[email protected]</saml:AttributeValue>
</saml:Attribute> <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:unspecified" Name="SCIM.name.formatted"><saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">Ms. Babs J Jensen III</saml:AttributeValue> </saml:Attribute>
</saml:AttributeStatement>
SCIM & SAML
![Page 13: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/13.jpg)
SAML
JWT
OpenID
SCIM OAuth
UMA
![Page 14: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/14.jpg)
SCIM & OAuth
1. Use OAuth to secure SCIM API calls
2. Use SCIM to provision account for subsequent OAuth-based mobile access to SaaS APIs
![Page 15: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/15.jpg)
SCIM & OAuthPOST /User HTTP/1.1Host: example.com Accept: application/xml Authorization: Bearer h480djs93hd8
<?xml version="1.0" encoding="UTF-8"?><scim:User xmlns:scim="urn:scim:schemas:core:1.0">
<userName>[email protected]</userName><externalId>701984</externalId><emails>
<email><value>[email protected]</value><primary>true</primary><type>work</type></email>
</emails></scim:User>
![Page 16: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/16.jpg)
SAML
JWT
OpenID
SCIM OAuth
UMA
![Page 17: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/17.jpg)
SAML & JWT & OAuth
• Use SAML assertion or JWT forOAuth client authentication and/or OAuth grant type
POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencoded
grant_type=authorization_code& code=i1WsRn1uB1& client_id=s6BhdRkqt3& client_assertion_type=urn%3Aoasis%3Anames%sAtc%3ASAML%3A2.0%3Aassertion& client_assertion=PHNhbWxwOl…...ZT
![Page 18: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/18.jpg)
SAML & JWT & OAuth
OAuth
Assertion profile
SAML JWT
Core protocol
How to use assertions for client authentication and as a grant type
Profiles assertion profileFor specific assertionformats
![Page 19: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/19.jpg)
SAML
JWT
OpenID
SCIM OAuth
UMA
![Page 20: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/20.jpg)
UMA & OAuth• User Managed Access extends OAuth 2.0 to allow for a
user to manage access to multiple (and distributed) resources through centralized Authorization Manager
• Leverages separation between AS & RS introduced by WRAP
OAuth UMA
The resource server respects access tokens from “its” authorization server
The host outsources authorization jobs to an authorization manager chosen by the user
The authorization server issues tokens based on the client’s ability to authenticate.
The authorization manager issues tokens based on user policy and “claims” conveyed by the requester.
The resource server validates tokens in an unspecified manner, assumed locally
The host can ask the authorization manager to validate tokens in real time.
Static client registration step More dynamic model
![Page 21: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/21.jpg)
SAML
JWT
OpenID
SCIM OAuth
UMA
![Page 22: John Bradley, Ping Identity @ve7jtb](https://reader036.vdocuments.site/reader036/viewer/2022062304/56812e4f550346895d93ed5d/html5/thumbnails/22.jpg)
Thank you.
@ve7jtb