SlideShare a Scribd company logo

CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards

CloudIDSummit
CloudIDSummit

Brian Campbell, Senior Researcher, Ping Identity OpenID Connect, OAuth, JOSE and JWT may be the new kids on the block, but many experts and visionaries have already anointed them to replace SAML. Is the wheel being needlessly reinvented or is genuine progress on the horizon?

TechnologyBusiness
1 of 22
Download to read offline
Brian Campbell CIS Napa July 2013 @__b_cbackground and layout of slides specially designed for @lpeterman & @NishantK
http://flic.kr/s/aHsjziVAwV
http://flic.kr/s/aHsjAP3nKo
SAML is DEAD! * http://www.linkedin.com/in/burtonian SAML @craigburton
WTF “SAML is dead”? I’ve got a mortgage to pay… *Disclaimer: I work with these guys at Ping But I just started this job! @paulmadsen @ian13550
*http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/ * @dak3
•  OpenID Connect •  simple JSON/REST-based interoperable identity protocol built on top of the OAuth 2.0 family of specifications. •  design philosophy: “make simple things simple and make complicated things possible.” •  Wins 2012 European Identity and Cloud Award •  “OpenID Connect the award[ed] Best Innovation/New Standard this year. What’s most impressive is that this elegantly simple design resulted from the cooperation of such a diverse global set of contributors. I expect OpenID Connect to have a substantial positive impact on usable, secure identity solutions both for traditional computing platforms and mobile devices. My congratulations to the OpenID Foundation!” - Dave Kearns •  “spurs global economic growth by enabling simple and secure exchange of verified attributes from multiple sources at Internet scale.” http://openid.net/2012/04/18/openid-connect-wins-2012-european-identity-and-cloud-award/
May, 2010: Conceptual Debut of Connect time elapses February, 2012: 1st Implementer’s Drafts March 2012 time elapses May, 2013: 2nd Implementer’s Drafts …? https://twitter.com/__b_c/status/181884679513833473 three nerds holding a blurry piece of paper... *Disclaimer: this guy also ‘works’ for Ping And I know these guys reasonably well from various initiatives http://www.thread-safe.com/2012/04/openid-connect-wins-2012-european.html “The OpenID Connect specifications are expected to be completed in the second half of 2012.” @selfissued @_nat_en @ve7jtb
*I did actually receive permission to use this photo @JasonABonds
Client Resource Server Get an access token Authorization Server Authorization Endpoint Token Endpoint Important Stuff Where the magic happens
Discovery Client Relying Party Resource Server Get an access token & an ID Token (JWT) Use an access token Authorization Server Identity Provider or IDP or OpenID Provider or OP Authorization Endpoint Token Endpoint Important Stuff Userinfo Endpoint Registration Endpoint JWKS Endpoint JWKS Endpoint Validate (JWT) ID Token /.well-known /webfinger /openid-configuration Check Session IFrame End Session Endpoint
The  JWT   eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV 4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVM ng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0Svf ykKWK_yK4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg   The  Header   {"kid":"5","alg":"ES256"}   The  Payload   {"iss":"https://idp.example.com",   "exp":1357255788,   "aud":"https://sp.example.org",   "jti":"tmYvYVU2x8LvN72B5Q_EacH._5A",   "acr":"2",   "sub":"Brian"}   The  Signature   [computery  junk]  
eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5 leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK4L O0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg       <Assertion  Version="2.0"  IssueInstant="2013-­‐01-­‐03T23:34:38.546Z”  ID="oPm.DxOqT3ZZi83IwuVr3x83xlr"      xmlns="urn:oasis:names:tc:SAML:2.0:assertion”  xmlns:ds="http://www.w3.org/2000/09/xmldsig#">      <Issuer>https://idp.example.com</Issuer>      <ds:Signature>          <ds:SignedInfo>              <ds:CanonicalizationMethod  Algorithm="http://www.w3.org/2001/10/xml-­‐exc-­‐c14n#"/>              <ds:SignatureMethod  Algorithm="http://www.w3.org/2001/04/xmldsig-­‐more#ecdsa-­‐sha256"/>              <ds:Reference  URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr">                  <ds:Transforms>                      <ds:Transform  Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-­‐signature"/>                      <ds:Transform  Algorithm="http://www.w3.org/2001/10/xml-­‐exc-­‐c14n#"/>                  </ds:Transforms>                  <ds:DigestMethod  Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>                  <ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue>              </ds:Reference>          </ds:SignedInfo>          <ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue>      </ds:Signature>      <Subject>          <NameID  Format="urn:oasis:names:tc:SAML:1.1:nameid-­‐format:unspecified">Brian</NameID>          <SubjectConfirmation  Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">              <SubjectConfirmationData  NotOnOrAfter="2013-­‐01-­‐03T23:39:38.552Z"  Recipient="https://sp.example.org"/>          </SubjectConfirmation>      </Subject>      <Conditions  NotOnOrAfter="2013-­‐01-­‐03T23:39:38.552Z"  NotBefore="2013-­‐01-­‐03T23:29:38.552Z">          <AudienceRestriction>              <Audience>https://sp.example.org</Audience>          </AudienceRestriction>      </Conditions>      <AuthnStatement  AuthnInstant="2013-­‐01-­‐03T23:34:38.483Z"  SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr">          <AuthnContext>              <AuthnContextClassRef>2</AuthnContextClassRef>          </AuthnContext>      </AuthnStatement>   </Assertion>  
* http://www.google.com/about/appsecurity/hall-of-fame/reward/
JWT/JWS  Header   {"kid":"5",   "alg":"ES256"}   {"keys":[ {"kty":"EC", "kid":"4", "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A", "crv":"P-256"}, {"kty":"EC", "kid":"5", "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", "crv":"P-256"}, {"kty":"EC", "kid":"6", "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00", "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU", "crv":"P-256"} ]}
Brian Campbell CIS Napa July 2013 @__b_c
SAML Any Questions? Brian Campbell CIS Napa July 2013 @__b_c

Recommended

CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at ScaleCloudIDSummit
 
2016 04-26 webinar - consumer-focused identity management
2016 04-26 webinar - consumer-focused identity management2016 04-26 webinar - consumer-focused identity management
2016 04-26 webinar - consumer-focused identity managementshivan82
 
CIS13: Identity Trends and Transients
CIS13: Identity Trends and TransientsCIS13: Identity Trends and Transients
CIS13: Identity Trends and TransientsCloudIDSummit
 
Consumer Identity Management
Consumer Identity ManagementConsumer Identity Management
Consumer Identity Managementwebhostingguy
 
CIS13: OpenID Connect: How it Solves your Problems
CIS13: OpenID Connect: How it Solves your ProblemsCIS13: OpenID Connect: How it Solves your Problems
CIS13: OpenID Connect: How it Solves your ProblemsCloudIDSummit
 
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and BeyondPush, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and BeyondIan Glazer
 
Hope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsHope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsBrian Campbell
 
2019 GDRR: Blockchain Data Analytics - Machine Learning in/for Blockchain: Fu...
2019 GDRR: Blockchain Data Analytics - Machine Learning in/for Blockchain: Fu...2019 GDRR: Blockchain Data Analytics - Machine Learning in/for Blockchain: Fu...
2019 GDRR: Blockchain Data Analytics - Machine Learning in/for Blockchain: Fu...The Statistical and Applied Mathematical Sciences Institute
 

Recommended

CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at ScaleCloudIDSummit
 
2016 04-26 webinar - consumer-focused identity management
2016 04-26 webinar - consumer-focused identity management2016 04-26 webinar - consumer-focused identity management
2016 04-26 webinar - consumer-focused identity managementshivan82
 
CIS13: Identity Trends and Transients
CIS13: Identity Trends and TransientsCIS13: Identity Trends and Transients
CIS13: Identity Trends and TransientsCloudIDSummit
 
Consumer Identity Management
Consumer Identity ManagementConsumer Identity Management
Consumer Identity Managementwebhostingguy
 
CIS13: OpenID Connect: How it Solves your Problems
CIS13: OpenID Connect: How it Solves your ProblemsCIS13: OpenID Connect: How it Solves your Problems
CIS13: OpenID Connect: How it Solves your ProblemsCloudIDSummit
 
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and BeyondPush, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and BeyondIan Glazer
 
Hope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsHope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsBrian Campbell
 
2019 GDRR: Blockchain Data Analytics - Machine Learning in/for Blockchain: Fu...
2019 GDRR: Blockchain Data Analytics - Machine Learning in/for Blockchain: Fu...2019 GDRR: Blockchain Data Analytics - Machine Learning in/for Blockchain: Fu...
2019 GDRR: Blockchain Data Analytics - Machine Learning in/for Blockchain: Fu...The Statistical and Applied Mathematical Sciences Institute
 
Hacking BLE Bicycle Locks for Fun and a Small Profit
Hacking BLE Bicycle Locks for Fun and a Small ProfitHacking BLE Bicycle Locks for Fun and a Small Profit
Hacking BLE Bicycle Locks for Fun and a Small ProfitPriyanka Aash
 
Avinash Kuma1
Avinash Kuma1Avinash Kuma1
Avinash Kuma1avinash1307
 
Edge trends mizuno-template
Edge trends mizuno-templateEdge trends mizuno-template
Edge trends mizuno-templateshintaro mizuno
 
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakNikhil Kathole
 
Introductions of Messaging bot 做聊天機器人
Introductions of Messaging bot 做聊天機器人Introductions of Messaging bot 做聊天機器人
Introductions of Messaging bot 做聊天機器人Johnny Sung
 
zqtn req 16 Spet 2012
zqtn req 16 Spet 2012zqtn req 16 Spet 2012
zqtn req 16 Spet 2012Bhanu Srivastava
 
Speed Matters!
Speed Matters!Speed Matters!
Speed Matters!Andy Davies
 
Experiences in ELK with D3.js for Large Log Analysis and Visualization
Experiences in ELK with D3.js for Large Log Analysis and VisualizationExperiences in ELK with D3.js for Large Log Analysis and Visualization
Experiences in ELK with D3.js for Large Log Analysis and VisualizationSurasak Sanguanpong
 
What’s New With 3D Design and Printing?
What’s New With 3D Design and Printing?What’s New With 3D Design and Printing?
What’s New With 3D Design and Printing?St. Petersburg College
 
The Devil and HTML5
The Devil and HTML5The Devil and HTML5
The Devil and HTML5Myles Braithwaite
 
I Am DevOps (And So Can You)
I Am DevOps (And So Can You)I Am DevOps (And So Can You)
I Am DevOps (And So Can You)bridgetkromhout
 
Xircd Yapcasia2008
Xircd Yapcasia2008Xircd Yapcasia2008
Xircd Yapcasia2008kan
 
CEI Email 3.14.03
CEI Email 3.14.03CEI Email 3.14.03
CEI Email 3.14.03Obama White House
 
Conexión Persuasiva (persuasión)
Conexión Persuasiva (persuasión)Conexión Persuasiva (persuasión)
Conexión Persuasiva (persuasión)Gemma Casals
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
 
Semiconductores
SemiconductoresSemiconductores
Semiconductores미구 천사
 
A look inside the European Covid Green Certificate - Rust Dublin
A look inside the European Covid Green Certificate - Rust DublinA look inside the European Covid Green Certificate - Rust Dublin
A look inside the European Covid Green Certificate - Rust DublinLuciano Mammino
 
Ruby Robots
Ruby RobotsRuby Robots
Ruby RobotsDaniel Cukier
 
La computadoras
La computadorasLa computadoras
La computadorasAngelGabriel03
 
Jose A. Briones Tweets Archive 3-29-2009 to 2-19-2013
Jose A. Briones Tweets Archive 3-29-2009 to 2-19-2013Jose A. Briones Tweets Archive 3-29-2009 to 2-19-2013
Jose A. Briones Tweets Archive 3-29-2009 to 2-19-2013Jose Briones
 
CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content HighlightsCloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit
 

More Related Content

Similar to CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards

Hacking BLE Bicycle Locks for Fun and a Small Profit
Hacking BLE Bicycle Locks for Fun and a Small ProfitHacking BLE Bicycle Locks for Fun and a Small Profit
Hacking BLE Bicycle Locks for Fun and a Small ProfitPriyanka Aash
 
Edge trends mizuno-template
Edge trends mizuno-templateEdge trends mizuno-template
Edge trends mizuno-templateshintaro mizuno
 
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakNikhil Kathole
 
Introductions of Messaging bot 做聊天機器人
Introductions of Messaging bot 做聊天機器人Introductions of Messaging bot 做聊天機器人
Introductions of Messaging bot 做聊天機器人Johnny Sung
 
Experiences in ELK with D3.js for Large Log Analysis and Visualization
Experiences in ELK with D3.js for Large Log Analysis and VisualizationExperiences in ELK with D3.js for Large Log Analysis and Visualization
Experiences in ELK with D3.js for Large Log Analysis and VisualizationSurasak Sanguanpong
 
What’s New With 3D Design and Printing?
What’s New With 3D Design and Printing?What’s New With 3D Design and Printing?
What’s New With 3D Design and Printing?St. Petersburg College
 
I Am DevOps (And So Can You)
I Am DevOps (And So Can You)I Am DevOps (And So Can You)
I Am DevOps (And So Can You)bridgetkromhout
 
Xircd Yapcasia2008
Xircd Yapcasia2008Xircd Yapcasia2008
Xircd Yapcasia2008kan
 
Conexión Persuasiva (persuasión)
Conexión Persuasiva (persuasión)Conexión Persuasiva (persuasión)
Conexión Persuasiva (persuasión)Gemma Casals
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
 
A look inside the European Covid Green Certificate - Rust Dublin
A look inside the European Covid Green Certificate - Rust DublinA look inside the European Covid Green Certificate - Rust Dublin
A look inside the European Covid Green Certificate - Rust DublinLuciano Mammino
 
Jose A. Briones Tweets Archive 3-29-2009 to 2-19-2013
Jose A. Briones Tweets Archive 3-29-2009 to 2-19-2013Jose A. Briones Tweets Archive 3-29-2009 to 2-19-2013
Jose A. Briones Tweets Archive 3-29-2009 to 2-19-2013Jose Briones
 

Similar to CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards (20)

Hacking BLE Bicycle Locks for Fun and a Small Profit
Hacking BLE Bicycle Locks for Fun and a Small ProfitHacking BLE Bicycle Locks for Fun and a Small Profit
Hacking BLE Bicycle Locks for Fun and a Small Profit
 
Avinash Kuma1
Avinash Kuma1Avinash Kuma1
Avinash Kuma1
 
Edge trends mizuno-template
Edge trends mizuno-templateEdge trends mizuno-template
Edge trends mizuno-template
 
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with Keycloak
 
Introductions of Messaging bot 做聊天機器人
Introductions of Messaging bot 做聊天機器人Introductions of Messaging bot 做聊天機器人
Introductions of Messaging bot 做聊天機器人
 
zqtn req 16 Spet 2012
zqtn req 16 Spet 2012zqtn req 16 Spet 2012
zqtn req 16 Spet 2012
 
Speed Matters!
Speed Matters!Speed Matters!
Speed Matters!
 
Experiences in ELK with D3.js for Large Log Analysis and Visualization
Experiences in ELK with D3.js for Large Log Analysis and VisualizationExperiences in ELK with D3.js for Large Log Analysis and Visualization
Experiences in ELK with D3.js for Large Log Analysis and Visualization
 
What’s New With 3D Design and Printing?
What’s New With 3D Design and Printing?What’s New With 3D Design and Printing?
What’s New With 3D Design and Printing?
 
The Devil and HTML5
The Devil and HTML5The Devil and HTML5
The Devil and HTML5
 
I Am DevOps (And So Can You)
I Am DevOps (And So Can You)I Am DevOps (And So Can You)
I Am DevOps (And So Can You)
 
Xircd Yapcasia2008
Xircd Yapcasia2008Xircd Yapcasia2008
Xircd Yapcasia2008
 
CEI Email 3.14.03
CEI Email 3.14.03CEI Email 3.14.03
CEI Email 3.14.03
 
Conexión Persuasiva (persuasión)
Conexión Persuasiva (persuasión)Conexión Persuasiva (persuasión)
Conexión Persuasiva (persuasión)
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware Analysis
 
Semiconductores
SemiconductoresSemiconductores
Semiconductores
 
A look inside the European Covid Green Certificate - Rust Dublin
A look inside the European Covid Green Certificate - Rust DublinA look inside the European Covid Green Certificate - Rust Dublin
A look inside the European Covid Green Certificate - Rust Dublin
 
Ruby Robots
Ruby RobotsRuby Robots
Ruby Robots
 
La computadoras
La computadorasLa computadoras
La computadoras
 
Jose A. Briones Tweets Archive 3-29-2009 to 2-19-2013
Jose A. Briones Tweets Archive 3-29-2009 to 2-19-2013Jose A. Briones Tweets Archive 3-29-2009 to 2-19-2013
Jose A. Briones Tweets Archive 3-29-2009 to 2-19-2013
 

More from CloudIDSummit

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content HighlightsCloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCloudIDSummit
 

More from CloudIDSummit (20)

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
 

Recently uploaded

Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 

Recently uploaded (20)

Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

CIS13: Hope or Hype: A Look at the Next Generation of Identity Standards

  • 1. Brian Campbell CIS Napa July 2013 @__b_cbackground and layout of slides specially designed for @lpeterman & @NishantK
  • 5. WTF “SAML is dead”? I’ve got a mortgage to pay… *Disclaimer: I work with these guys at Ping But I just started this job! @paulmadsen @ian13550
  • 7. •  OpenID Connect •  simple JSON/REST-based interoperable identity protocol built on top of the OAuth 2.0 family of specifications. •  design philosophy: “make simple things simple and make complicated things possible.” •  Wins 2012 European Identity and Cloud Award •  “OpenID Connect the award[ed] Best Innovation/New Standard this year. What’s most impressive is that this elegantly simple design resulted from the cooperation of such a diverse global set of contributors. I expect OpenID Connect to have a substantial positive impact on usable, secure identity solutions both for traditional computing platforms and mobile devices. My congratulations to the OpenID Foundation!” - Dave Kearns •  “spurs global economic growth by enabling simple and secure exchange of verified attributes from multiple sources at Internet scale.” http://openid.net/2012/04/18/openid-connect-wins-2012-european-identity-and-cloud-award/
  • 8. May, 2010: Conceptual Debut of Connect time elapses February, 2012: 1st Implementer’s Drafts March 2012 time elapses May, 2013: 2nd Implementer’s Drafts …? https://twitter.com/__b_c/status/181884679513833473 three nerds holding a blurry piece of paper... *Disclaimer: this guy also ‘works’ for Ping And I know these guys reasonably well from various initiatives http://www.thread-safe.com/2012/04/openid-connect-wins-2012-european.html “The OpenID Connect specifications are expected to be completed in the second half of 2012.” @selfissued @_nat_en @ve7jtb
  • 9.
  • 10. *I did actually receive permission to use this photo @JasonABonds
  • 11.
  • 12.
  • 13. Client Resource Server Get an access token Authorization Server Authorization Endpoint Token Endpoint Important Stuff Where the magic happens
  • 14. Discovery Client Relying Party Resource Server Get an access token & an ID Token (JWT) Use an access token Authorization Server Identity Provider or IDP or OpenID Provider or OP Authorization Endpoint Token Endpoint Important Stuff Userinfo Endpoint Registration Endpoint JWKS Endpoint JWKS Endpoint Validate (JWT) ID Token /.well-known /webfinger /openid-configuration Check Session IFrame End Session Endpoint
  • 15. The  JWT   eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV 4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVM ng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0Svf ykKWK_yK4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg   The  Header   {"kid":"5","alg":"ES256"}   The  Payload   {"iss":"https://idp.example.com",   "exp":1357255788,   "aud":"https://sp.example.org",   "jti":"tmYvYVU2x8LvN72B5Q_EacH._5A",   "acr":"2",   "sub":"Brian"}   The  Signature   [computery  junk]  
  • 16. eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5 leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK4L O0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg       <Assertion  Version="2.0"  IssueInstant="2013-­‐01-­‐03T23:34:38.546Z”  ID="oPm.DxOqT3ZZi83IwuVr3x83xlr"      xmlns="urn:oasis:names:tc:SAML:2.0:assertion”  xmlns:ds="http://www.w3.org/2000/09/xmldsig#">      <Issuer>https://idp.example.com</Issuer>      <ds:Signature>          <ds:SignedInfo>              <ds:CanonicalizationMethod  Algorithm="http://www.w3.org/2001/10/xml-­‐exc-­‐c14n#"/>              <ds:SignatureMethod  Algorithm="http://www.w3.org/2001/04/xmldsig-­‐more#ecdsa-­‐sha256"/>              <ds:Reference  URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr">                  <ds:Transforms>                      <ds:Transform  Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-­‐signature"/>                      <ds:Transform  Algorithm="http://www.w3.org/2001/10/xml-­‐exc-­‐c14n#"/>                  </ds:Transforms>                  <ds:DigestMethod  Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>                  <ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue>              </ds:Reference>          </ds:SignedInfo>          <ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue>      </ds:Signature>      <Subject>          <NameID  Format="urn:oasis:names:tc:SAML:1.1:nameid-­‐format:unspecified">Brian</NameID>          <SubjectConfirmation  Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">              <SubjectConfirmationData  NotOnOrAfter="2013-­‐01-­‐03T23:39:38.552Z"  Recipient="https://sp.example.org"/>          </SubjectConfirmation>      </Subject>      <Conditions  NotOnOrAfter="2013-­‐01-­‐03T23:39:38.552Z"  NotBefore="2013-­‐01-­‐03T23:29:38.552Z">          <AudienceRestriction>              <Audience>https://sp.example.org</Audience>          </AudienceRestriction>      </Conditions>      <AuthnStatement  AuthnInstant="2013-­‐01-­‐03T23:34:38.483Z"  SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr">          <AuthnContext>              <AuthnContextClassRef>2</AuthnContextClassRef>          </AuthnContext>      </AuthnStatement>   </Assertion>  
  • 18. JWT/JWS  Header   {"kid":"5",   "alg":"ES256"}   {"keys":[ {"kty":"EC", "kid":"4", "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A", "crv":"P-256"}, {"kty":"EC", "kid":"5", "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", "crv":"P-256"}, {"kty":"EC", "kid":"6", "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00", "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU", "crv":"P-256"} ]}
  • 19.
  • 20.
  • 22. SAML Any Questions? Brian Campbell CIS Napa July 2013 @__b_c