openid connect - how it solves enterprise problems
DESCRIPTION
OpenID Connect is an identity layer on top of OAuth 2.0 Authorization Framework. This session gives an overview of the underlying concept and how it can help you solve your problems.TRANSCRIPT
![Page 1: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/1.jpg)
Nomura Research Institute
Cloud Identity Summit 2013
OpenID Connect:
How it solves your
problems
July 10, 2013
Nat SakimuraNomura Research InstituteChairman, The OpenID Foundation@_nat_enhttp://nat.sakimura.org/
![Page 2: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/2.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
B2E Identity
B2C IdentityG2C Identity
(source of pictures)Microsoft Office Online
G2E Identity
![Page 3: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/3.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
?"Why OpenID Connect is relevant for us enterprise? It's a consumer technology,
is it not?"
![Page 4: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/4.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Not quite.
because I have very enterprizy background…
![Page 5: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/5.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
OpenID Connect
was built with Enterprise use in mind (as well as consumer use);
helps you build effective access governance over cloud services
![Page 6: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/6.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
QWhat are the de facto federation and account provisioning protocols?
![Page 7: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/7.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Identity Federation
•SAML?
Account Provisionin
g•SPML?
![Page 8: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/8.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
No!
![Page 9: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/9.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Identity Federation
•Password Sharing
Account Provisionin
g•Custom CSV
![Page 10: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/10.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
?Why did we fail?
![Page 11: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/11.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Too complex to understand. cognitive difficulty -> Support difficulty
Different products did not interoperate.
A large Japanese manufacturer: ▪ > 3000 partners all around the world▪Many of them were working with multiple companies▪Tried to create a SAML federation but failed.
![Page 12: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/12.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
CSV is easy.
• Hey, you just need Excel! And you can manually edit them!
Password Sharing is
easy. • Hey, it works on any application that supports password!
![Page 13: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/13.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Lots of (hidden) problems…
![Page 14: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/14.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Anything that more than 3 people knows is not a secret!
Can easily get out of sync. Allowing manual edit is a risk. De-provisioning? Archiving? Are you getting audit trail of
the access to those systems?
etc…
![Page 15: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/15.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
#fail
![Page 16: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/16.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Let’s re-do. This time, dead simple.
Yes, we are reinventing a wheel, but This time, it will be a little rounder.
![Page 17: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/17.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
OpenID Connect& SCIM
![Page 18: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/18.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
SAML v.s. OpenID Connect
SAML Web SSO OpenID ConnectXML JSONXML Dsig JSON Web Signature
(JWS)XML Encryption JSON Web Encryption
(JWE)SAML JSON Web TokenSAML Assertion ID Token (OIDC)SOAP (mostly…) RESTSAML Web SSO Profile Standard (=OAuth 2.0
binding)SPML SCIM
![Page 19: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/19.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
identity set of attributes related to an entity
ISO/IEC 29115 | ITU-T X.1254
Note: distinguish identity and identifier carefully.
![Page 20: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/20.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
An example of simplistic enterprise “identity”
Employee number: A12349898
Name: John Smith
Position: General Manager
Department: Finance
Company: ABCD Holding
Location: NYHQ
Datetime: 29130809T12:34:11Z
![Page 21: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/21.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Employee number: A12349898
Name: John Smith
Position: General Manager
Department: Finance
Company: ABCD Holding
Location: NYHQ
Datetime: 29130809T12:34:11Z
logging
User interface
Access Controlinfo
![Page 22: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/22.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Real Name
Professionalqualification
department
Geo-location
Employee number
Entity Identity Resource
Authentication
Policy Enforcement
Rules
![Page 23: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/23.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
ABAC
Based on SP800-162 figure on page viii
identityResource
Rules
entity
![Page 24: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/24.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Real Name
Professionalqualification
department
Geo-location
Employee number
Entity IdentityResource
Authentication PEP
PDP
PAP
Boss Metadata
Log Log
![Page 25: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/25.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Requirements
R1
•Access Control MUST be done with the dynamic attributes
R2
•Identity MUST be provided from the authoritative source
R3
•Need to be able to provide flexible security.
R4
•Need to be dead simple.
R5
•Interoperability is the king.
R6
•Limited connection (esp. mobile) ready.
R7
•Unified technology for enterprise and consumer.
![Page 26: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/26.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Real Name
Professionalqualification
department
Geo-location
Employee number
Entity IdentityResource
Authentication PEP
PDP
PAP
Boss Metadata
Log Log
![Page 27: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/27.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Deployment Experiencesof OpenID Connect
![Page 28: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/28.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
What kind of deployment have we done?
Windows Domain integration
SMTP/IMAP/SSH & OpenID Connect
A large provider integration
Privacy Proxy
![Page 29: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/29.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Windows Domain Integration
AD
ConnectServer
AccessLog
Service
Service
Service
Service
Registration
Discovery
HR System
![Page 30: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/30.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Easy to implement • Building was easy;• Deployment was easy partly because
you can “provision” the linked accounts; Nice user experience for enterprise users• No login dialogues; Leverage on
Windows Logon;• No consent – as it is administered by the
admin, and it is following privacy rules;• Help Avoid “Pavlov’s Dog Problem”
![Page 31: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/31.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research InstituteTurning Internet Dog to Pavlov’s Dog
32
Click!Click!
Click!
Click!
Click!
Click! Click!
(Source) Based on IIW dog
![Page 32: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/32.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
?But what about other protocols?
SMTP / IMAP / SSH etc.
Application Passwords …
![Page 33: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/33.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
PAM Module for OpenID Connect
SMTP
IMAP
SSH
PAM
OIDCPlugin
OpenID ConnectServer
Thunderbrid
WebBrows
er
Token
Toke
n as
Pas
swor
dToken as Password
Token IntrospectionTo
ken as
Pass
word
![Page 34: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/34.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
Make sure to follow verification rules
• Some implementation were bitten by not following MUSTs.Never send an access token without
accompanying ID Token to any other clients. • Otherwise, you will be subject to token swap attack. • http://www.thread-safe.com/2012/01/problem-with-oauth
-for-authentication.html
Care should be taken for “code” and “token” server-side verification• Maybe not so acute in most enterprise deployment, but
in one of the consumer solution that we help run, it is doing 2000 tr/sec
![Page 35: OpenID Connect - how it solves enterprise problems](https://reader033.vdocument.in/reader033/viewer/2022051413/553acc9655034657228b45ea/html5/thumbnails/35.jpg)
© 2013 by Nomura Research Institute. All rights reserved.
Nomura Research Institute
36