Mobile Cloud Identity

Mobile Cloud Identity
Mark Diodati
Technical Director—CTO Office
@mark_diodati
mdiodati@pingidentity.com
Thurs 13-12-05

Agenda
•
•
•
•
•

Cloud Identity
Modern Identity’s Building Blocks
OpenID Connect
FIDO
NFC


CLOUD IDENTITY

On-Premises, Hybrid, Cloud
on-premises
cloud
hybrid

Cloud Identity
• Identity Management as a Service (IDaaS)
– Externally hosted, turnkey SaaS applications that
perform identity management
• Users and applications may be on-premises or hosted

– OPEX, flexible with changes in economies of scale

• Identity bridge
– On-premises component to connect on-premises
and externally hosted environments
– Supports multiple identity services

Hosted
On-Premises

Sync (API)

Federation SSO

To The Cloud (SSO + Provisioning)

Identity bridge

s
ero
b
Ker

Employee

Dire
ctor
y

SSO

syn

c

Federation IdP
Directory synchronization

Active
Directory

To The Cloud (Mobile Identity)
MDM cloud
service

Private key

Profile/policy

Credential
provisioning
Group

A

App distro

Externally Hosted
On-Premises

Group

Microsoft
Certificate
Services

Identity Bridge
MDM

Active Directory

MMC

From The Cloud (SSO)
Partner

SAML, OAuth,
Password, X.509

Hosted
On-Premises

OAuth relying party
OAuth authorization service
Federation SP
Federation IDP

OAuth resource server

HTTP
cookie

uth
OA

Identity bridge

WAM-protected application

SAM

L

SAML-enabled application

From the Cloud (Provisioning)
Provisioning
IDaaS

Externally Hosted

ERP

Reconciliation

Active Directory

Europe

Identity
bridge

North America

On-Premises

Identity
bridge

Manufacturing

Reconciliation

Active Directory

In The Cloud (SSO + Provisioning)
IDaaS

Provisioning

Provisioning
Federation IdP

Authentication

Federated SSO

User
Hosted
On-Premises


MODERN BUILDING BLOCKS

Modern Building Blocks
• REST (Representational State Transfer)
– Adopted in response to the complexity of SOAP
– Uses HTTP for its request/response
– Objects are represented as URLs
– Example HTTP verbs
• GET: retrieve object attributes
• POST: create object with new attributes
• DELETE: delete object

• JSON (JavaScript Object Notation)
– Adopted in response to the complexity of XML
– Data format representing name value pairs

• Most modern identity standards leverage
JSON over REST
– Peanut butter and jelly
– OAuth (authorization), SCIM (provisioning), FIDO
(authentication), OpenID Connect (multi-protocol)

• Some notable exceptions are SAML and
XACML

POST https://pingidentity.com:8443/Users
Authorization: Basic Y249RGlyZWN0b3J5IE1...
Content-Type: application/json
{
"userType":"spy",
"externalId":“tstark86753",
REST HTTP verb (add user in
"pacsSerial":"87654321",
"active":true,
SCIM)
"otpSerial":"12345678",
"email":“tony.stark@pingidentity.com",
"userName":"lcarroll",
"givenName":“Tony",
"familyName":“Stark“
}

{
"userType":"spy",
"externalId":“tstark86753",
In REST, objects and
"active":true,
endpoints have
"otpSerial":"12345678",
"email":“tony.stark@pingidentity.com",
unique URLs
"userName":"lcarroll",
"givenName":“Tony",
"familyName":“Stark“
}

JSON data representation
{
"userType":“superhero",
"externalId":"tstark86753",
"active":true,
"otpSerial":"12345678",
"email":"tony.stark@pingidentity.com",
"userName":"tstark",
"givenName":"Tony",
"familyName":"Stark"
}

{
"userType":"spy",
"externalId":"tstark86753",
"active":true,
"otpSerial":"12345678",
"email":"tony.stark@pingidentity.com",
"userName":"tstark",
"givenName":"Tony",
"familyName":"Stark"
}


OPENID CONNECT

OAuth
• Increasingly popular protocol for session
management in rich mobile applications
• Mobile web applications function well with
traditional enterprise authentication
• Rich mobile applications may break existing
infrastructure like authentication and Web
access management

OAuth Components and Flow
OAuth
resource server

OAuth
authorization server

OAuth
client/relying party

A

Native application

R

A

refresh
token

access
token

ded
loa
ion
wn
icat
do
ent
ens + auth
ok
6. T e code
nc
fere
e
5. R

2.
Us
er
au
3.
the
To
ke
n/
nr
co
efe
ns
en
ren
t
ce
ret
urn
co
de

rce
ou
es n
n r atio
t
tio
ca sen
pli
e
ap
pr
n
to
ke
ss
to
ce
Ac
ss
8.
ce
Ac
7.

A

1. Browser instantiated

4. Code delivery
Web browser

Why Not Just Use OAuth?
• OAuth is:
– Valuable as an access delegation protocol
– A good fit for native mobile applications
– Friendly for developers

• OAuth is not:
– A user identity protocol
– An “identity at scale” protocol

OAuth
resource server

OpenID Connect Flow
user information endpoint

n
s
en atio
k
To form
in
er
Us

A
AP
IA
cce
ss

A

OAuth

ID

R

A

ID
token

refresh
token

access
token

OpenID
Provider

OIDC Multliple Provider Flow

OpenID
OpenID
Provider #1
Provider

OAuth
resource server


n
ns kens ionatio
t
ke o a
To1. Tormform
f n
r in er i
e
Us2. Us

AP3. A A A
I A PI
cce Ac
ss ces
s

A
A

OAuth
OAuth

ID ID

R R

A A

access
refresh access
ID refresh
token
token token
token token

ID

ID

OpenID
OpenID
Provider #2
Provider

4. ID token
5. Access, Refresh tokens

R R

A A

OpenID Connect Protocols

Protocol for clients that
support additional security


Protocol for simpler clients


Optional discovery of OpenID
providers


Optional automated registration of clients
(e.g., server applications, mobile devices)

OpenID Connect Under The Covers
• OAuth 2.0 specifications
• JSON Web Token (JWT)
• JOSE
– JSON Web Signature (JWS)
– JSON Web Encryption (JWE)
– JSON Web Algorithms (JWA)
– JSON Web Key (JWK)

FIDO—A Tale of Two Protocols
• FIDO Unified Authentication Framework (UAF)
– Local mobile biometrics
– Initially proposed by Lenovo, Nok Nok, PayPal,
others
– Also supports non-biometric authentication

• Universal Second Factor (U2F)
– “Smart” smart card
• Initially proposed by Google and Yubikey (first to
partner)

FIDO UAF

(2) FIDO handshake

FIDO
Server

F

device attestation

(3) Asymmetrci key authn

web site/RP

Binding of user info and public key

ID Proofing
(1) user authentication
to FIDO client
FIDO Client

authenticator(s)

F

device key pair

site-specific key pairs

FIDO
Attestation
Service

F

UAF to OpenID Connect
Binding of user info and public key

OpenID Provider

(1) user authentication
to FIDO client

F A

(5
)A
PI
re
qu

es
t/

re
sp

on

se

(4) Token information

(2) FIDO handshake

FIDO client

(3) asymmetric key authn

F

FIDO authentication
module

A

mobile application
(relying party)
ID

A
tokens

R

User info, public key and
Key Handle

ord auth
ser passw
(1) u

site
authn
service

activation button
(activation required during
enrollment and optional at
runtime)

U2F
authn
service

device attestation

(2) Challenge
response,
with Key Han
dle

web site/RP

FIDO U2F

site-specific key pairs
(with Key Handles)

device key pair (per batch)

attestation
service

U2F to Federation

User info, public key and
Key Handle
Federation IDP

U2F
authn
service

Federation SP

(2) Challe
nge respo
nse,
with Key
Handle
(3)
SAM
L cr
ede
ntia
ls

(1) user password auth

primary
authn
service

(4)

L
AM
S

als
nti
de
cre

SCEP Certificate Enrollment
iPhone Configuration
Utility

Certificate
authority

Profile service

SCEP.mobileconfig

CE
ex
ec
ut
es
S
iO
S
(4)

ticates

(3) Profile is downloaded

n
(2) User authe
User

Pe
nr
oll
me
nt

(1) Utility publishes
enrollment profile

)
(5

te
ca
fi
rti
Ce

in
is

ed
all
st

in

S
iO

re
to
s

SCEP Enrollment Vulnerability
Certificate authority

Profile service
(1) Can I have a SCEP secret?

e.
cat
tifi
cer 9”.
r a 7530
l fo
rol “86
en et is
r
rk,
Sta sec
n y CE P
S
To
(3 ) Y o u r
SCEP.mobileconfig

(
M 4) M
yS y
CE n a
Ps m
ec e is
re “N
ti
Yo
s “ ick
ur
86 Fu
ce (5)
75 ry
rti
fic Here
30 ”.
ate y
9”
.
na ou g
me o!
is N
ick
Fu
ry.

(2) Sure!
Your SCEP secret is “8675309”.

Certificate

Private Key

Enhanced Enrollment
MDM service

Certificate authority
(1) Here is public key for user Tony Stark
(2) Sure! Here is the certificate

(3)

He
re
an is y
d p ou
riv r c
ate ert
ke ifica
y!
te

Private key

Certificate

MDM - Email Proxy
Private key

Certificate

MDM
Identity Bridge

Exchange Server

S4U Kerberos
impersonation

X.509 authentication

Kerberos tickets

Active
Directory

NFC on Mobile Device

Antenna

NFC controller

Secure element

NFC system

NFC for Converged Authentication
Building access

NFC

IT access

NFC for Tablet Authentication
Smartphone

Web application

Private key

SSL
Certificate

NFC
Tablet

Contactless smart card

NFC Provisioning

PKI
Certificate

Mobile Credential
Management Service
(MCM)

PACS
Credential

A

A

Application

Application

Externally Hosted
On-Premises

Identity
Bridge

Certificate
Authority

PACS Host

Active
Directory

Mobile Credential Management
Service
Trusted
Service
Manager

MDM
Mobile
Credential
Management
Service (MCM)

Mobile
Network
Operators

NFC Secure
Element

A

NFC Authorization
Authorization Policy
PKI Authentication

Policy Delivery

PKI Certificate

Mobile Cloud Identity

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (6)

Similar a Mobile Cloud Identity

Similar a Mobile Cloud Identity (20)

Último

Último (20)

Mobile Cloud Identity