openid connect - how it solves enterprise problems
DESCRIPTION
OpenID Connect is an identity layer on top of OAuth 2.0 Authorization Framework. This session gives an overview of the underlying concept and how it can help you solve your problems.TRANSCRIPT
Nomura Research Institute
Cloud Identity Summit 2013
OpenID Connect:
How it solves your
problems
July 10, 2013
Nat SakimuraNomura Research InstituteChairman, The OpenID Foundation@_nat_enhttp://nat.sakimura.org/
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
B2E Identity
B2C IdentityG2C Identity
(source of pictures)Microsoft Office Online
G2E Identity
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
?"Why OpenID Connect is relevant for us enterprise? It's a consumer technology,
is it not?"
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Not quite.
because I have very enterprizy background…
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
OpenID Connect
was built with Enterprise use in mind (as well as consumer use);
helps you build effective access governance over cloud services
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
QWhat are the de facto federation and account provisioning protocols?
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Identity Federation
•SAML?
Account Provisionin
g•SPML?
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
No!
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Identity Federation
•Password Sharing
Account Provisionin
g•Custom CSV
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
?Why did we fail?
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Too complex to understand. cognitive difficulty -> Support difficulty
Different products did not interoperate.
A large Japanese manufacturer: ▪ > 3000 partners all around the world▪Many of them were working with multiple companies▪Tried to create a SAML federation but failed.
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
CSV is easy.
• Hey, you just need Excel! And you can manually edit them!
Password Sharing is
easy. • Hey, it works on any application that supports password!
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Lots of (hidden) problems…
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Anything that more than 3 people knows is not a secret!
Can easily get out of sync. Allowing manual edit is a risk. De-provisioning? Archiving? Are you getting audit trail of
the access to those systems?
etc…
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
#fail
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Let’s re-do. This time, dead simple.
Yes, we are reinventing a wheel, but This time, it will be a little rounder.
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
OpenID Connect& SCIM
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
SAML v.s. OpenID Connect
SAML Web SSO OpenID ConnectXML JSONXML Dsig JSON Web Signature
(JWS)XML Encryption JSON Web Encryption
(JWE)SAML JSON Web TokenSAML Assertion ID Token (OIDC)SOAP (mostly…) RESTSAML Web SSO Profile Standard (=OAuth 2.0
binding)SPML SCIM
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
identity set of attributes related to an entity
ISO/IEC 29115 | ITU-T X.1254
Note: distinguish identity and identifier carefully.
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
An example of simplistic enterprise “identity”
Employee number: A12349898
Name: John Smith
Position: General Manager
Department: Finance
Company: ABCD Holding
Location: NYHQ
Datetime: 29130809T12:34:11Z
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Employee number: A12349898
Name: John Smith
Position: General Manager
Department: Finance
Company: ABCD Holding
Location: NYHQ
Datetime: 29130809T12:34:11Z
logging
User interface
Access Controlinfo
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Real Name
Professionalqualification
department
Geo-location
Employee number
Entity Identity Resource
Authentication
Policy Enforcement
Rules
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
ABAC
Based on SP800-162 figure on page viii
identityResource
Rules
entity
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Real Name
Professionalqualification
department
Geo-location
Employee number
Entity IdentityResource
Authentication PEP
PDP
PAP
Boss Metadata
Log Log
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Requirements
R1
•Access Control MUST be done with the dynamic attributes
R2
•Identity MUST be provided from the authoritative source
R3
•Need to be able to provide flexible security.
R4
•Need to be dead simple.
R5
•Interoperability is the king.
R6
•Limited connection (esp. mobile) ready.
R7
•Unified technology for enterprise and consumer.
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Real Name
Professionalqualification
department
Geo-location
Employee number
Entity IdentityResource
Authentication PEP
PDP
PAP
Boss Metadata
Log Log
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Deployment Experiencesof OpenID Connect
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
What kind of deployment have we done?
Windows Domain integration
SMTP/IMAP/SSH & OpenID Connect
A large provider integration
Privacy Proxy
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Windows Domain Integration
AD
ConnectServer
AccessLog
Service
Service
Service
Service
Registration
Discovery
HR System
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Easy to implement • Building was easy;• Deployment was easy partly because
you can “provision” the linked accounts; Nice user experience for enterprise users• No login dialogues; Leverage on
Windows Logon;• No consent – as it is administered by the
admin, and it is following privacy rules;• Help Avoid “Pavlov’s Dog Problem”
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research InstituteTurning Internet Dog to Pavlov’s Dog
32
Click!Click!
Click!
Click!
Click!
Click! Click!
(Source) Based on IIW dog
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
?But what about other protocols?
SMTP / IMAP / SSH etc.
Application Passwords …
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
PAM Module for OpenID Connect
SMTP
IMAP
SSH
PAM
OIDCPlugin
OpenID ConnectServer
Thunderbrid
WebBrows
er
Token
Toke
n as
Pas
swor
dToken as Password
Token IntrospectionTo
ken as
Pass
word
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Make sure to follow verification rules
• Some implementation were bitten by not following MUSTs.Never send an access token without
accompanying ID Token to any other clients. • Otherwise, you will be subject to token swap attack. • http://www.thread-safe.com/2012/01/problem-with-oauth
-for-authentication.html
Care should be taken for “code” and “token” server-side verification• Maybe not so acute in most enterprise deployment, but
in one of the consumer solution that we help run, it is doing 2000 tr/sec
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
36