Download - RSA Europe: Future of Cloud Identity
![Page 1: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/1.jpg)
Session ID:
Session Classification:
Michael SchwartzFounder / CEO Gluu
The Future of Cloud Identity Security
IAM-207
General Interest
![Page 2: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/2.jpg)
Background
2
![Page 3: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/3.jpg)
Finally an Internet Identity Foundation…
3
Adoption ?
![Page 4: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/4.jpg)
Who is behind the OpenID Foundation
4
![Page 5: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/5.jpg)
Challenges Solved by OpenID Connect
How to share authentication with apps / websites Potential for Authorization Discovery
How to identify an anonymous Internet visitor Support constant new stream of mobile apps
“Apps” are not well known ahead of time… need to support dynamic registration
Session Management How can you “logout”…
5
![Page 6: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/6.jpg)
How did we get here?
1998: Web Access Management Traditional enterprise SSO (i.e. SiteMinder)
2001: Federation How do I access websites outside my organization :
SAML
2011 Social Login Facebook Connect - Technology goes consumer
6
![Page 7: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/7.jpg)
SAML Widely deployed by organizations Authentication + attributes + federation
OpenID Easy centralized authentication
Information Cards Lots of lessons learned : OpenID Account Chooser
OAUTH 1.0 and 1.1 Bundled Authentication / Authorization: first
authorization
Predecessors of OpenID Connect
7
![Page 8: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/8.jpg)
IntroducingOpenID Connect
8
![Page 9: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/9.jpg)
What is OpenID Connect?
Profile of OAuth2 Entities
Client, OpenID Providers (“OP”), Relying Party (“RP”) Workflows
Discovery, Authentication, Dynamic Client registration, Attribute Release, Session management
Schema Token, Keystore
9
![Page 10: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/10.jpg)
10
![Page 11: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/11.jpg)
11
![Page 12: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/12.jpg)
Subtle Revolutions
“SMTP-stlye” email address are the entity identifiers
Ease of use for Web Developers Good usability for People
12
![Page 13: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/13.jpg)
When ?
OP support 2013 Google launch of Account Chooser
Large RP’s will support first … 2013
CMS, CRM, communication and SaaS apps to follow
13
![Page 14: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/14.jpg)
What is next?
14
![Page 15: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/15.jpg)
Tools and Rules
Tools Its not just the Web, but the depth of software tools and
support that makes it so powerful.
Rules How the standards are used can be strengthened by the
central authorities. Both are needed… but rules may take a while
15
![Page 16: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/16.jpg)
Organizational Trust Management
Organizational Trust Management Which “clients” are authorized
for which scopes? Which people are authorized
to use which clients? How to group related clients?
16
![Page 17: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/17.jpg)
MultiParty Federations In OpenID Connect ?
17
http://www.nist.gov/itl/nstic-092012.cfm$1.8 Million NSTIC Grant
![Page 18: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/18.jpg)
User Trust Management
UMA : User Managed Authorization Proposed IETF standard Enable users to centrally store permissions given to
applications Also Profile of OAuth2 Central “Authorization Manager” infrastructure Specify which Clients have access to which resources
(URLs) PEP / PDP architecture Course-grain authentication
18
![Page 19: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/19.jpg)
Fine Grain Authorization
How to specify access to resources Resources need to be described by rules
All the pictures in this folder, except these three… Specifying “who” is authorized also needs rules
Any teacher in my child’s school can send her a message Note who could also be an organization, federation or some
other entity. External conditions
During business hours allow hosts from subnet 10.10.10.x
Many believe to solve this, we need a “Graph” standard
19
![Page 20: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/20.jpg)
What would an OpenID Graph look like?
20
There are three types of arcs and nodes:contextual, relational, literal
![Page 21: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/21.jpg)
Graph : Contextual Arcs
21
Address of the data is the same, butwho are you going to believe? [email protected] or chase.com ?
Note:DifferentContexts
• What is the provenance of data?
• How to group / organize data
![Page 22: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/22.jpg)
Graph: Relational Arcs
22
How are OpenID endpoints related?
How do we convey real world relationships in the online world?
![Page 23: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/23.jpg)
Graph: Permissions
23
$do specifies a “Link Contract”
Relational arc specifies what operationsare allowed on what part of the graph:could be $add, $mod, $del, $get, $all
$if specifies conditions
(1) What part of the graph (2) what operations (3) under what conditions
Javascript equation format
![Page 24: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/24.jpg)
Conclusion
24
![Page 25: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/25.jpg)
How can you prepare for OpenID Connect?
If you are a CTO / CSO Deploy an “OpenID Provider” at your organization to
enable developers for testing of new applications and cloud service providers.
Inquire about the roadmap for OpenID Connect support from your current SaaS providers
Define the vision to use OpenID Connect for internal and external SSO
Make plans to consolidate existing SAML and SSO infrastructures
25
![Page 26: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/26.jpg)
How can you prepare for OpenID Connect?
If you are a Website or App developer Don’t create any more user databases Authenticated via OpenID Connect Use the “User Info” endpoint to request the OpenID
Scopes which contain information about the entity. Allow people to identify themselves with an email
address: support OpenID Connect discovery. Support OpenID Connect Dynamic Client Registration
for your app
26
![Page 27: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/27.jpg)
How can you prepare for OpenID Connect?
If you are a Person ! Understand that you may need to choose your identity
depending on the app or website in question Gripe to websites that don’t support OpenID Connect
27
![Page 28: RSA Europe: Future of Cloud Identity](https://reader033.vdocument.in/reader033/viewer/2022061218/54b70b264a79594a478b4722/html5/thumbnails/28.jpg)
If you want Open Source OpenID Connect…
Please checkout the OX project OpenID Connect UMA SCIM OpenID Graph
28
http://ox.gluu.org