More Related Content Similar to ALB User Authentication: Identity Management at Scale with Netflix (NET204) - AWS re:Invent 2018 (20) More from Amazon Web Services (20) ALB User Authentication: Identity Management at Scale with Netflix (NET204) - AWS re:Invent 20182. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ALB Authentication: Identity
Management at Scale with Netflix
Will Rose
Senior Security Engineer
Netflix Information Security
N E T 2 0 4
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Netflix Identity Principles
In Practice
ALB Authentication
Discussion
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Principle
Federate Everything
Every. Single. App.
Single Sign On Standards
OpenID Connect and OAuth
SAML
Make It Easy To Do The Right Thing
…and difficult to do it wrong
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Principle
Developer Self-Service
Simple onboarding
Expertise not required
Immediately available
No approval required
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Principle
Device Health Checks
User Focused Security
Engage with users to improve device security
Stethoscope
Open Source tool from Netflix to report on device health status
Integrated with Netflix Identity Platform
Influences user’s authentication experience
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Principle
Adaptive Multi-Factor Authentication
Contextual step-up authentication using:
Application Sensitivity
Usage patterns and behaviors
Device Health Status
User Agent Recognition
Geographic Location
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Landscape
Hundreds of applications, growing daily
With Great Freedom comes…
Great Variability
Languages and Frameworks galore
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identity Challenges
Just use Client Libraries to Federate!
Always playing catch-up to new languages
and frameworks
Open source options of varying quality
and completeness
Developer friction around configuration
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identity Challenges
Ok, then just use Authenticating Proxies!
Additional critical infrastructure to maintain
Potential bottlenecks and new failure modes
to address
Additional infrastructure cost to operate
Proxy Layer
Application Layer
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Please select one
C. None of the above
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Crazy Talk
Auth == Undifferentiated Heavy Lifting!
Why not Application Load Balancers!?
Let’s talk to Amazon!
Please?
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Alphabet Soup
Ingredients
1 x AWS
1 x ALB
1 x OIDC
Simmer for 6 months
Serves: everyone
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Under the Hood
X-Amzn-OIDC-Identity: will.rose@domain.com
X-Amzn-OIDC-Access-Token: 1waGF…YW50
X-Amzn-OIDC-Data: eyJhbG...y4MbQQ
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Adoption
Native Spinnaker integration
Fully self-service with only a few clicks
No new infrastructure required
Identical integration experience across all languages
Our recommended integration path for all applications
20. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Will Rose
wrose@netflix.com
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.