When it comes to identity and access management (IAM) for your application, it's good to warm-up with a good cup of identity protocol soup. Key ingredients include SAML, OAuth, OpenID and OpenID Connect. In this session, learn how developers create world-class private and public applications that are secure, mobile and can be easily provisioned -- all leveraging these standards-based protocols.

1. Warm Up to
Identity Protocol Soup
David Waite
Principal Technical Architect
1 Copyright ©2012 Ping Identity Corporation. All rights reserved.

2. Topics
•What is Digital Identity?
•What are the different
technologies?
•How are they useful?
•Where is this space going?
2 Copyright ©2012 Ping Identity Corporation. All rights reserved.

3. Digital Identity
3 Copyright ©2012 Ping Identity Corporation. All rights reserved.

4. Concepts
• Authentication / Authenticity
–Is this entity (person/machine) who they say
4 Copyright ©2012 Ping Identity Corporation. All rights reserved.

5. Concepts
• Attributes / Identity Information
–My name is David Waite
–I work for Ping Identity
–I’ve been in the Identity Space for 10 years
–My email address is dwaite@pingidentity.com
5 Copyright ©2012 Ping Identity Corporation. All rights reserved.

6. Introductions
• Ping Identity
–Focused on Identity standards
–Enterprise and Consumer-oriented solutions
–On-site software (PingFederate)
–Identity as a Service offerings (PingOne)
6 Copyright ©2012 Ping Identity Corporation. All rights reserved.

7. Concepts
• Authorization
–What are the rules on who can do what
• Access Control
–Enforces whether you can or can’t do
something
7 Copyright ©2012 Ping Identity Corporation. All rights reserved.

8. Concepts
• The bundle of credentials, identifiers and
attributes makes up the traditional idea of
an “Account”
• The services which work by the same
system of accounts and authorization
make up a “Security Domain”
8 Copyright ©2012 Ping Identity Corporation. All rights reserved.

9. SAML / In the Beginning
9 Copyright ©2012 Ping Identity Corporation. All rights reserved.

10. Simple App
Application
DB Login Content
10 Copyright ©2012 Ping Identity Corporation. All rights reserved.

11. Less Simple App
Application
Login Content
DB
Self- Password
Registration Recovery
11 Copyright ©2012 Ping Identity Corporation. All rights reserved.

12. Uh-Oh
Application Application
Login Content Login Content
DB
Self- Self- Password
Registration Registration Recovery
12 Copyright ©2012 Ping Identity Corporation. All rights reserved.

13. Reality (Simplified)
Application Application
Login Content Login Content
Self- Self- Password
Registration Registration Recovery
DB
Application Application
DB DB
Login Content Login Content
Self- Password Self-
Registration Recovery Registration
13 Copyright ©2012 Ping Identity Corporation. All rights reserved.

14. Supportability Issues
• Multiple accounts
• Different usernames and passwords
• Varying support / recovery processes
• Hard to change Authorization policy
• Provisioning users is error-prone
14 Copyright ©2012 Ping Identity Corporation. All rights reserved.

15. Security Issues
• Users may retain access to systems
• Duplicated passwords and user info
• Lack of auditing
• Home-grown auth may be insecure
• Difficult to switch to multi-factor
15 Copyright ©2012 Ping Identity Corporation. All rights reserved.

16. Architectural impact
• Decomposing applications is hard
• Difficult to mash up APIs
–Data Silos
• Code for authz policy changes
• Rebuilding same components
16 Copyright ©2012 Ping Identity Corporation. All rights reserved.

17. Solution?
• Identity and Access Management
–Infrastructure shared by apps
–Centralized resources and management
• Examples:
–Use LDAP for account attributes
–Create groups representing authorizations
rather than departments
17 Copyright ©2012 Ping Identity Corporation. All rights reserved.

18. Identity and Access Management
• Single Authentication Mechanism
–Transport: Client X.509, Kerberos
–Domain cookie w/App Server Plugin
–Authenticating Proxy in front of apps
18 Copyright ©2012 Ping Identity Corporation. All rights reserved.

19. Identity and Access Management
• Central Authorization Policy
• Set policy at HTTP resource level
• Responsible for Access Control at
resource level
19 Copyright ©2012 Ping Identity Corporation. All rights reserved.

20. Drawbacks
• Time/TCO to retrofit existing apps
• High cost of infrastructure upgrades
• M&A often be a nightmare
• There are no standards
–huge amount of vendor lock-in.
20 Copyright ©2012 Ping Identity Corporation. All rights reserved.

21. Failings
•Not always possible to support
–COTS software
–3rd Party / Hosted software
21 Copyright ©2012 Ping Identity Corporation. All rights reserved.

22. SAML
22 Copyright ©2012 Ping Identity Corporation. All rights reserved.

23. SAML
• Security Assertion Markup Language
• 1.0 in November 2002
• 2.0 in March 2005
“Securely Assert Identity Information”
23 Copyright ©2012 Ping Identity Corporation. All rights reserved.

24. SAML Roles
• “Identity Provider” (IDP)
–provides identity information
• “Service Provider” (SP)
–consumes identity information
–provides access to services
24 Copyright ©2012 Ping Identity Corporation. All rights reserved.

25. SAML Pieces
• Assertion
–XML document
–a signed and/or encrypted
–containing identity information
25 Copyright ©2012 Ping Identity Corporation. All rights reserved.

26. SAML Parts
• Protocol - messages built on assertions
• Binding - sending protocol over the wire
• Profile - combination to accomplish
some use case
26 Copyright ©2012 Ping Identity Corporation. All rights reserved.

27. SAML Web SSO
• Most popular profile is
Web Browser Single Sign-On Profile
• Use browser as a communication
channel
• Authenticates browser that delivers
the message
27 Copyright ©2012 Ping Identity Corporation. All rights reserved.

28. SAML Web SSO
Bridges Accounts for the
different Security Domains
28 Copyright ©2012 Ping Identity Corporation. All rights reserved.

29. SAML Used by
• Web Browser SSO Profile
• WS-* (as token)
• WS-Federation (as token)
• OAuth 2 (as authentication
mechanism)
29 Copyright ©2012 Ping Identity Corporation. All rights reserved.

30. OpenID
30 Copyright ©2012 Ping Identity Corporation. All rights reserved.

31. OpenID
• Created by Brad Fitzpatrick in 2005
• Came out of blogging space
–Don’t want to manage accounts just to let
people comment on blog posts
• Initially for Lower Assurance
• Dynamically Managed relationships
31 Copyright ©2012 Ping Identity Corporation. All rights reserved.

32. OpenID
• Your “username” is a URL
• Your login proves ownership
• Your identity/persona is that URL
32 Copyright ©2012 Ping Identity Corporation. All rights reserved.

33. OpenID - How it works
• Relying Party
–Similar role to SP, requests/relies on OpenID
• OpenID Provider
–Similar role to IDP, authenticates users
33 Copyright ©2012 Ping Identity Corporation. All rights reserved.

34. OpenID - How it works
1.User enters OpenID or selects OP at
Relying Party*
2.RP figures out appropriate OP
3.Sends browser to OP so the user can
prove who they are
4.OP sends authenticated user back to RP
34 Copyright ©2012 Ping Identity Corporation. All rights reserved.

35. Advantages
• User-Centric Identity
–user maintains control
–determines who sees what
• Can run infrastructure without coordination
35 Copyright ©2012 Ping Identity Corporation. All rights reserved.

36. Disadvantages
• Users do not understand URLs
• Hidden complexity in implementing
• Interoperability is poor
• Many sites are non-compliant
• Some sites require extensions
36 Copyright ©2012 Ping Identity Corporation. All rights reserved.

37. Recommendation
• Support specific partners/software
• Choose a mature product or library
• Hide OpenID from user
–Use a NASCAR page
37 Copyright ©2012 Ping Identity Corporation. All rights reserved.

38. OAuth 1 and 2
38 Copyright ©2012 Ping Identity Corporation. All rights reserved.

39. OAuth
• Negotiate/Represent Authorization
for Apps
• Per-user
–Delegation of user access
–User participation in authorization policy
39 Copyright ©2012 Ping Identity Corporation. All rights reserved.

40. The Old Model*
40 Copyright ©2012 Ping Identity Corporation. All rights reserved.

41. The Old Model*
41 Copyright ©2012 Ping Identity Corporation. All rights reserved.

42. OAuth 1
• Created in 2007
• 2-legged
–Server to Server
• 3-legged
–User authorization
42 Copyright ©2012 Ping Identity Corporation. All rights reserved.

43. OAuth 1 Flow
• User selects to add/authorize third party
• App sends user to third party site
• User authenticates with site if needed,
indicates what the app is authorized for
• User is sent back to App with token
43 Copyright ©2012 Ping Identity Corporation. All rights reserved.

44. OAuth Benefits
• App access is limited
• App behaviors are auditable
• User makes their own policy decisions
• Users can revoke access to their data
44 Copyright ©2012 Ping Identity Corporation. All rights reserved.

45. OAuth 2
• Removes complex signature requirement
–Must use SSL
–Resource access is simple
• Separate roles for resource protected,
authorization service
• Adds new flows for new native client use
45 Copyright ©2012 Ping Identity Corporation. All rights reserved.

46. OAuth 1 vs 2
• OAuth 1 is very pragmatic
–Hits two use cases
–Details them thoroughly with examples
• OAuth 2 is broad, extensible
–Pieces used to solve particular problem
• Do not recommend OAuth 1 for new projects
46 Copyright ©2012 Ping Identity Corporation. All rights reserved.

47. OAuth vs Web SSO
OAuth is for authorization, not
authentication
• Web SSO lets you know who the user is
• OAuth is permission to act for the user
• NOT a replacement for Web SSO
47 Copyright ©2012 Ping Identity Corporation. All rights reserved.

48. OAuth vs Web SSO
• OAuth does not give you
–User attributes
–Confirmation (that the user is present)
–Audience (this token was meant for you)
48 Copyright ©2012 Ping Identity Corporation. All rights reserved.

49. OpenID Connect
49 Copyright ©2012 Ping Identity Corporation. All rights reserved.

50. OpenID Connect
• In-process specification building on top
of OAuth 2
• Adds first-class identity information to
protocol
• Supports additional use cases
–(hybrid client)
50 Copyright ©2012 Ping Identity Corporation. All rights reserved.

51. OpenID Connect
• New “ID Token”
• Normal Access token is for the
resource, about the client application
• ID token is meant to be understood
by the client, about the user
51 Copyright ©2012 Ping Identity Corporation. All rights reserved.

52. OpenID Connect
• Defines UserInfo service
–To get user attributes in a standard manner
• Has Simple discovery mechanism to
authenticate by URL or email address
• Defines dynamic client support
52 Copyright ©2012 Ping Identity Corporation. All rights reserved.

53. OpenID Connect
OpenID Connect provides a single
way to securely support both Web
SSO, and API access by native clients.
53 Copyright ©2012 Ping Identity Corporation. All rights reserved.

54. Closing
54 Copyright ©2012 Ping Identity Corporation. All rights reserved.

55. Closing
• Digital Identity is a broad topic
representing the user authentication,
attributes, and authorization policies for a
domain
• Applications should not be their own
security domains
–does not scale
55 Copyright ©2012 Ping Identity Corporation. All rights reserved.

56. Closing
• Web SSO is a way to bridge the gap in
security domains
–SAML - Security Assertion Markup Language
–OpenID
56 Copyright ©2012 Ping Identity Corporation. All rights reserved.

57. Closing
• For native clients, the browser flow of Web
SSO is not appropriate
• SOAP services have WS-*
–supports SAML tokens
• REST services have OAuth
–supports SAML tokens
57 Copyright ©2012 Ping Identity Corporation. All rights reserved.

58. Closing
• Going forward, OpenID Connect
bridges Web SSO and API access.
• Supports authentication and
authorization
• Previous protocols will stay in use
58 Copyright ©2012 Ping Identity Corporation. All rights reserved.

59. Questions?
http://www.flickr.com/photos/horiavarlan/4273168957/
• Ask me about:
–WS-Federation
–WS-Security/WS-Trust
–SCIM
–ID-FF/Shibboleth
59 Copyright ©2012 Ping Identity Corporation. All rights reserved.

60. Questions?
• Visit www.pingidentity.com or www.pingone.com
for more information
• Email sales@pingidentity.com with questions
Are you a SaaS company interested in getting
started with PingOne for free?
Contact us at sales@pingidentity.com to
learn how!
60 Copyright ©2012 Ping Identity Corporation. All rights reserved.