implementing mitreid - cis 2014 presentation
DESCRIPTION
The story of MITREid, a corporate identity system implemented at MITRE built around OpenID 2.0 and, later, OpenID Connect.TRANSCRIPT
The story of MITREid
Justin RicherThe MITRE Corporation
© 2014 The MITRE Corporation. All rights reserved.
Approved for Public Release: Distribution Unlimited (Case Number: 14-
1639)
The plight of a software developer• I build things that people use• I want to know who’s there
• What can I do?
1. Make local accounts
1. Make local accounts
1. Make local accounts
2. Use LDAP
2. Use LDAP
3. Use Enterprise SSO
3. Use Enterprise SSO
3. Use Enterprise SSO
Firew
all
Intranet
Internet
What to do?
Give people a digital identity
Let’s build something• OpenID 2.0 Server• Running on corporate IT hardware in
corporate IT environment• Backed by corporate SSO and user profile
information• “We do SSO so you don’t have to”
Why OpenID?• Open standard protocol• Network-based federation• User-driven trust model• Simple to use and develop
Make it easy for developers:Platform support
• Libraries:– Java– PHP– Python– Javascript– Ruby– Perl– …
• Platforms & Plugins:– Spring Security– Elgg– Wordpress– Mediawiki– Omniauth– Drupal– …
Usage Profile: The prototype
Firew
all
Intranet
Internet
OpenID ServerSSO
Usage Profile: The external service
Firew
all
Intranet
Internet
OpenID Server
SSO
User Profiles: The mobile user
Firew
all
Intranet
Internet
OpenID Server 2FA
The architecture
Firew
allUser Profiles
SharedDatabase
Internal OP External OP
Intranet
Internet
Two-Factor AuthnCorporate SSO
Runtime security decisions
Adoption by the extended enterprise
The Long Tail
1
10
100
1000
10000
We didn’t even plan this
Multiple types of user
Moving on from OpenID 2.0
Let’s build it (again)!• OAuth 2.0 and OpenID Connect server• OpenID Connect client library• Enterprise-friendly features and platform• Flexible deployment
and...
Open Source
We’re running it ourselves
Building the specifications
Moving toward federation across the extended enterprise
Better security: Separation
OpenID Provider
Delegating services: OAuth
OpenID Provider
Better security: Revocation
Easier integration by developers
OpenID Provider• Standard
• Agile• Flexible• Distributed
• Proprietary• Fragile• Rigid• Centralized
Better administration: An abstraction layer
OpenID Provider
Scalable security decisionsWhitelist
Trusted partners, business contracts, customer organizations, trust frameworks
GraylistUser-based trust decisions
Follow Trust on First Use model, keep logs
BlacklistVery bad sites we don’t want to deal with, ever
Org
aniz
ation
s de
cide
thes
e End-users decide these
Conclusions• Use open standards• Give your people digital identities and let
them decide where to use them• Use federation where possible
Questions?