cis 2015 session management at scale - scott tomilson & jamshid khosravian
TRANSCRIPT
![Page 1: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/1.jpg)
Session Management at Scale Scott Tomilson Jamshid (Jim) Khosravian
![Page 2: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/2.jpg)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 2
Session Management Web
![Page 3: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/3.jpg)
• Senior Software Developer at PingIdentity • Software Technology Enthusiast • Canadian
Copyright © 2015 Cloud Identity Summit. All rights reserved. 3
Jamshid (Jim) Khosravian
(Sorry that I say sorry so much)
![Page 4: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/4.jpg)
Agenda
• PingAccess Session Management • Session Initiation/Creation • Session Token attributes • Session Attributes and Timeouts • Single Logout
• PingAccess Scalability • Q&A
Copyright © 2015 Cloud Identity Summit. All rights reserved. 4
![Page 5: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/5.jpg)
Session Initiation
• PingAccess deployed in front of web apps (Proxy) • PingAccess Agent installed on the webserver hosting
web app (Agent) • PingFederate and PingAccess interactions
Copyright © 2015 Cloud Identity Summit. All rights reserved. 5
![Page 6: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/6.jpg)
Proxy
Copyright © 2015 Cloud Identity Summit. All rights reserved. 6
3
1
4
2 5
High-level Flow: 1) Resource requested 2) PA checks URL policy – it's a protected resource. No PA session. Redirect to PF to login user. 3) User login, PF session created / validated. 4) User redirected back to resource. PA session created. 5) PA session check – OK. 6) Request OK – forward to backend resource.
6
![Page 7: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/7.jpg)
Agent
Copyright © 2015 Cloud Identity Summit. All rights reserved. 7
3 1
4
2
High-level Flow: 1) Resource requested 2) PA agent forwards request to PA server 3) PA checks URL policy – it's a protected resource. No PA session. Creates Redirect to PF for Agent. Agent sends redirect back 4) User login, PF session created / validated. 5) User redirected back to resource. 6) PA agent forwards request to PA server 7) PA Checks PF Response – OK – Creates sessions – Send Response To Agent 8) PA response – OK – Access granted – Requested resource Served
6
7 5
8
![Page 8: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/8.jpg)
Session Initiation
Copyright © 2015 Cloud Identity Summit. All rights reserved. 8
• "Varied" Session Management handled within IdP Adapters at time of authentication / SSO
• E.g.: • HTML Form Adapter • IWA • WAM IK (Third-party tokens)
• Session tokens issued upon SSO & re-issued regularly to handle idle timeouts
• JWT format (signed or encrypted) • Contain attributes required by
protected apps & authn level • Can be scoped per Application
![Page 9: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/9.jpg)
Session Token
• JWT • Signed (JWS) • Encrypted (JWE)
• Content • Session Attributes • (Optional) User Attributes
Copyright © 2015 Cloud Identity Summit. All rights reserved. 9
![Page 10: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/10.jpg)
Session Token (cont’d)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 10
Received PF ID Token (Signed) PA Session Token (Signed) { "alg": "RS256", "kid": "gcs0e" }. { "sub": "joe", "aud": "PingAccessOIDC", "jti": "FfCzPyb74vu3va6RNjIBhC", "iss": "https://synapse.pingfederatelabs.com:9031", "iat": 1433128115, "exp": 1433128175, "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "nonce": "rhZvrAswWdztaPq-RQSqcSVAWdOiXkRTGeg6y_zVvW0", "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg" }. { Signature data }
{ "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "kid": "7", "alg": "ES256" }. { "sub": "joe”, "aud": "global", "jti": "5c68d4a7-357c-475d-8f01-02c0ddfc90ca", "iat": 1433128123, "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg", "iss": "PingAccess", "exp": 1433131723, "pingaccess_refresh_exp": 1433305544, "access_token": "9TwtEfi4fYnuQkDKUYnRivf8uHIN”, "phone_number": "+1 (425) 555-1212", "role": "sales", "address": { "street_address": "123 Main Street", "country": "USA", "formatted": "123 Main Street, Smallville, ME USA 11223", "locality": "Smallville", "region": "ME", "postal_code": "11223" } }. { Signature data }
![Page 11: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/11.jpg)
Session Storage
• Client Side • Session attributes and user attributes inside
session cookie • Server Side
• Session attributes inside session cookie • User attributes stored on server
Copyright © 2015 Cloud Identity Summit. All rights reserved. 11
![Page 12: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/12.jpg)
Session Storage (cont’d)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 12
Session Token (Server) Session Token (Client) { "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "kid": "7", "alg": "ES256" }. { "sub": "joe”, "aud": "global", "jti": "5c68d4a7-357c-475d-8f01-02c0ddfc90ca", "iat": 1433128123, "updated_time": "2011-01-03T23:58:42+0000", "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg", "iss": "PingAccess", "exp": 1433131723, "access_token": "9TwtEfi4fYnuQkDKUYnRivf8uHIN” }. { Signature data }
{ "pi.sri": "YPKOMwK7PF2xB9woQexUteMpn_U", "kid": "7", "alg": "ES256" }. { "sub": "joe”, "aud": "global", "jti": "5c68d4a7-357c-475d-8f01-02c0ddfc90ca", "iat": 1433128123, "updated_time": "2011-01-03T23:58:42+0000", "at_hash": "YSO7fz1xkW_kRliDzmJ_Sg", "iss": "PingAccess", "exp": 1433131723, "access_token": "9TwtEfi4fYnuQkDKUYnRivf8uHIN”, "pingac`cess_refresh_exp": 1433305544, "phone_number": "+1 (425) 555-1212", "role": "sales", "address": { "street_address": "123 Main Street", "country": "USA", "formatted": "123 Main Street, Smallville, ME USA 11223", "locality": "Smallville", "postal_code": "11223" } }. { Signature data }
![Page 13: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/13.jpg)
Session Status check and refresh
• Going back a couple of days … WHAT IF …
Copyright © 2015 Cloud Identity Summit. All rights reserved. 13
WHAT IF THE RIGHT IDENTITY BECOMES A BAD ACTOR? WHAT IF IDENTITY IS TOO WEAK & TOO DISCONNECTED TO PROTECT US AT SCALE?
![Page 14: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/14.jpg)
Session Status check and refresh
• PingFederate Session Reference ID validation • pi.sri session attribute • PingFederate Session State Cache (seconds)
• PingAccess User Attribute Refresh • pingaccess_refresh_exp • Refresh User Attributes Interval (seconds)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 14
![Page 15: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/15.jpg)
Session Timeout
• Idle Timeout (Minutes) default 60 minutes • Max Timeout (Minutes) default 240 minutes
Copyright © 2015 Cloud Identity Summit. All rights reserved. 15
JWT Attribute Description
"iat": 1433128123 JWT Creation timestamp, will NOT change on reissue
"exp": 1433131723
JWT Expiry timestamp, will change on reissue
![Page 16: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/16.jpg)
OpenID Connect Based Single Logout
• Simple Logout (/pa/oidc/logout) • Single Logout
• PF Config • Track User Sessions for Logout (AS setting) • Revoke User Session on Logout (Client Settings) • PingAccess Logout Capable (Client Settings)
• https://<PF-BASE>/idp/startSLO.ping
Copyright © 2015 Cloud Identity Summit. All rights reserved. 16
![Page 17: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/17.jpg)
PingAccess Scalability
• Stateless Engine Nodes • Load balancing and fail over for protecting sites • Simple Engine Node Deployment • Token Mediation
Copyright © 2015 Cloud Identity Summit. All rights reserved. 17
![Page 18: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/18.jpg)
Stateless Engine nodes
• How much? • Temporary Token Cache • (Optional) User Attributes
• Self-contained Session Token • No State Sharing needed • No Shared database needed • Missing data is calculated or fetched from PF
Copyright © 2015 Cloud Identity Summit. All rights reserved. 18
![Page 19: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/19.jpg)
Load balancing and fail over for sites
• Proxy deployment • Load balance requests to multiple instances of target
site • Fail over strategy for target sites • (Coming soon) implement custom Load Balancing
strategies
Copyright © 2015 Cloud Identity Summit. All rights reserved. 19
![Page 20: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/20.jpg)
Simple Engine Node Deployment
• Mostly environment setup • Engine:
• Install JDK and PingAccess • Modify one Line in run.properties
• Agent • Install agent on web server of choice
• Create Agent/Engine config file from admin console, copy to the target server.
Copyright © 2015 Cloud Identity Summit. All rights reserved. 20
![Page 21: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/21.jpg)
Token Mediation
• Token Exchange Using WS-TRUST • Server: PingFederate • Input: PA Session Token • Output: Tokens Supported by PF (WAM,
OpenToken, etc) • Get a session token specific to a target site.
Copyright © 2015 Cloud Identity Summit. All rights reserved. 21
![Page 22: CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian](https://reader036.vdocument.in/reader036/viewer/2022062320/55cae3f6bb61eb39788b461f/html5/thumbnails/22.jpg)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 22
Thank you Q&A